I have already given you example. You can see If you closely read my first
replay to this thread. Ansible vault works the same way for both
ansible-playbook and ansible command. What ever documented for
ansible-playbook also work with ansible ad hoc if you use vault. You have
spend some time to learn it. Every thing documented well.
Here is the step by step example:
1). Create a directory group_vars
# mkdir -p /etc/ansible/group_vars
2). Create a variable file with your server user name and password. Please
note this is the username and password which your ansible ad hoc command
going to use to login to your target machine.
# vim /etc/ansible/group_vars/myservers.yml
---
ansible_user: root
ansible_ssh_pass: toor
Save the file with above two variables. You have to change your target
machine username and password.
3). My sample file looks like below after step 2.
# cat /etc/ansible/group_vars/myservers.yml
---
ansible_user: root
ansible_ssh_pass: toor
4). *Encrypt the */etc/ansible/group_vars/myservers.yml file.
The ansible-vault command will prompt you for a password twice (a second
time to confirm the first). Once that's done, the file will be encrypted!
If you edit the file directly, you'll just see encrypted text.
# ansible-vault encrypt /etc/ansible/group_vars/myservers.yml
New Vault password:
Confirm New Vault password:
Encryption successful
NOTE: You have to use this password with ansible ad hoc command. In my case
I used ‘test123’ as password.
5). You will need to make inventory files for Ansible. An inventory file
lists hosts which you would like to manage and the groups they belong to.
I’ve created inventory file called ‘myhostfile’
# vim /etc/ansible/myhostfile
[myserver]
localhost
NOTE: Here ‘myserver’ is group name and I have only one host which is my
local machine. You need to change localhost to your target machine hostname
or IP address. If you closely notice my group name is ‘myserver’ and vault
file under group_vars directory also same.
6). Now run your ansible ad hoc command. Here is one ad hoc command which
will create a file /tmp/hello on the target machine.
# ansible -i /etc/ansible/myhostfile myservers -m file -a "dest=/tmp/hello
mode=755 state=directory" -u root --ask-vault-pass
Vault password:
localhost | SUCCESS => {
"changed": false,
"gid": 0,
"group": "root",
"mode": "0755",
"owner": "root",
"path": "/tmp/hello",
"secontext": "unconfined_u:object_r:user_tmp_t:s0",
"size": 6,
"state": "directory",
"uid": 0
}
NOTE: I used —ask-vault-pass which will prompt you vault password. In my
case it is ‘test123’ which I used to decrypt the file. Please refer step 4.
You can also save the password in file and pass with --vault-password-file
Hope it help you. If you still have problem then you have to send more
details about what exactly you are doing.
On Tuesday, October 30, 2018 at 11:39:52 AM UTC+5:30, Rajendra Rawat wrote:
>
> I have gone through the link shared by you but there is no where is it
> using the vault for ad hoc command. It is using it for playbook.
>
> Request you to please share a example of ping module as I did in
> my previous email that would be helpful understanding it.
>
> ad-hoc command:
>
> ansible <hostname> -m ping <what_next?>
>
> Please note sshkey is not setup on target host.
>
>
> Thanks & Regards
>
> Rajendra Rawat
>
>
> On Tue, 30 Oct 2018 at 08:21, Mohan L <[email protected] <javascript:>>
> wrote:
>
>>
>> You have to pass vault password to ansible command not vault file itself.
>> Vault file stores your secrets/variables in encrypted format and vault
>> password is used decrypt it. Pass vault password to ansible command.
>>
>>
>> You have read this doc:
>> https://docs.ansible.com/ansible/2.7/user_guide/vault.html
>>
>> Take a look at the below link as well:
>>
>> https://serversforhackers.com/c/how-ansible-vault-works
>>
>>
>> https://zaiste.net/ansible_vault_storing_sensitive_data_as_encrypted_variables/
>>
>>
>> If your roles or playbooks reference encrypted variables, you need to
>> have give Ansible the password to decrypt them. Prior Ansible 2.4, You can
>> do this in two ways:
>>
>>
>> 1). Using the --ask-vault-pass flag will instruct Ansible to ask for the
>> vault password so it can decrypt the variable files correctly.
>>
>>
>> 2). Using —vault-password-file flag will instruct Ansible to reference
>> vault password from file. Ansible playbook use the password with in the
>> reference file to decrypt vault file.
>>
>>
>> Since Ansible 2.4, there is way to provide a vault password is to use
>> the --vault-id option as well. This allow vault files or vars that are
>> encrypted with different passwords can be used at the same time. If your
>> roles or playbooks reference encrypted variables, you need to have give
>> Ansible the password to decrypt them. Prior Ansible 2.4, You can do this in
>> two ways:
>>
>>
>> 1). Using the --ask-vault-pass flag will instruct Ansible to ask for the
>> vault password so it can decrypt the variable files correctly.
>>
>>
>> 2). Using —vault-password-file flag will instruct Ansible to reference
>> vault password from file. Ansible playbook use the password with in the
>> reference file to decrypt vault file.
>>
>>
>> Since Ansible 2.4, there is way to provide a vault password is to use
>> the --vault-id option as well. This allow vault files or vars that are
>> encrypted with different passwords can be used at the same time. That what
>> Andrew was mentioned on his post.
>>
>>
>>
>>
>>
>> On Tuesday, October 30, 2018 at 1:04:03 AM UTC+5:30, Rajendra Rawat wrote:
>>>
>>> Hi Mohan,
>>>
>>> I tried running ad-hoc command as you suggested but it is not working
>>>
>>> ansible <target_hostname> -m ping -u <targer_vm_username>
>>> --vault-password-file <secret_file>
>>>
>>> where "secret_file" was created with password of <targer_vm_username>
>>> ansible-vault create secret_file
>>> cat secret_file
>>> <password>
>>>
>>> Output:
>>> [WARNING]: Error in vault password file loading (default): A vault
>>> password must be specified to decrypt data
>>> ERROR! A vault password must be specified to decrypt data
>>>
>>> Am i doing something wrong?
>>>
>>>
>>> Thanks & Regards
>>>
>>> Rajendra Rawat
>>>
>>>
>>> On Mon, 29 Oct 2018 at 21:19, Mohan L <[email protected]> wrote:
>>>
>>>> Do you have any problem using vault with ad-hoc??
>>>>
>>>> Here is a example of how it works.
>>>>
>>>> I have a vault secret file under group_vars like below. You have to use
>>>> ansible-vault create.
>>>>
>>>> # ansible-vault view group_vars/myserver.yml
>>>>
>>>> Vault password:
>>>>
>>>> ---
>>>>
>>>> ansible_user: root
>>>>
>>>> ansible_ssh_pass: password1
>>>>
>>>>
>>>> I have my vault password stored in file which look like below:
>>>>
>>>> # cat vault_key
>>>>
>>>> myvault@pass
>>>>
>>>>
>>>> I am using ad-hoc command like below and it works. What is your problem?
>>>>
>>>> # ansible myserver -m file -a "dest=/tmp/hello mode=755
>>>> state=directory" -u root --vault-password-file vault_key
>>>>
>>>> localhost | SUCCESS => {
>>>>
>>>> "changed": false,
>>>>
>>>> "gid": 0,
>>>>
>>>> "group": "root",
>>>>
>>>> "mode": "0755",
>>>>
>>>> "owner": "root",
>>>>
>>>> "path": "/tmp/hello",
>>>>
>>>> "secontext": "unconfined_u:object_r:user_tmp_t:s0",
>>>>
>>>> "size": 6,
>>>>
>>>> "state": "directory",
>>>>
>>>> "uid": 0
>>>>
>>>> }
>>>>
>>>>
>>>> Thanks
>>>> Mohan L
>>>>
>>>>
>>>>
>>>> On Monday, October 29, 2018 at 6:30:56 PM UTC+5:30, Rajendra Rawat
>>>> wrote:
>>>>>
>>>>> Hi All,
>>>>>
>>>>> Is it possible to use ansible-vault with ad-hoc commands.
>>>>> Use case: I have not setup ssh key and I want to use ping module on
>>>>> target machine.
>>>>>
>>>>> normal way if we have setup sshkey or pass the text password
>>>>> 1: ansible <target_hostname> -m ping [if ssh key configured]
>>>>> 2: ansible <target_hostname> -m ping --extra-vars
>>>>> "ansible_user=<username> ansible_password=<password>"
>>>>>
>>>>> But I want to do this with ansible-vault.
>>>>> Is it possible ? any help would be appreciated.
>>>>>
>>>>> Thanks & Regards
>>>>>
>>>>> Rajendra Rawat
>>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Ansible Project" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>> To post to this group, send email to [email protected].
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/ansible-project/7f859c16-ee20-42fc-9ec4-fa57befbff92%40googlegroups.com
>>>>
>>>> <https://groups.google.com/d/msgid/ansible-project/7f859c16-ee20-42fc-9ec4-fa57befbff92%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To post to this group, send email to [email protected]
>> <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/39ba802f-c34d-4a70-b5a1-9e21f8e883d3%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/ansible-project/39ba802f-c34d-4a70-b5a1-9e21f8e883d3%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/ff338a3b-83d4-4318-898a-f0dfaa7a5f0f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
