It is working for me now. thanks for the explaining it in detailed. it is working for for me after creating the group into /etc/ansible/group_var
I have a doubt, can we achieve the same functionality without creating vault file with same group name which we given in inventory file into /etc/ansible/group_var/? Thanks & Regards Rajendra Rawat On Tue, 30 Oct 2018 at 17:06, Mohan L <[email protected]> wrote: > > > I have already given you example. You can see If you closely read my first > replay to this thread. Ansible vault works the same way for both > ansible-playbook and ansible command. What ever documented for > ansible-playbook also work with ansible ad hoc if you use vault. You have > spend some time to learn it. Every thing documented well. > > Here is the step by step example: > > 1). Create a directory group_vars > > > # mkdir -p /etc/ansible/group_vars > > > 2). Create a variable file with your server user name and password. Please > note this is the username and password which your ansible ad hoc command > going to use to login to your target machine. > > > # vim /etc/ansible/group_vars/myservers.yml > > > --- > ansible_user: root > ansible_ssh_pass: toor > > > Save the file with above two variables. You have to change your target > machine username and password. > > > 3). My sample file looks like below after step 2. > > > # cat /etc/ansible/group_vars/myservers.yml > --- > ansible_user: root > ansible_ssh_pass: toor > > > > > 4). *Encrypt the */etc/ansible/group_vars/myservers.yml file. > The ansible-vault command will prompt you for a password twice (a second > time to confirm the first). Once that's done, the file will be encrypted! > If you edit the file directly, you'll just see encrypted text. > > > # ansible-vault encrypt /etc/ansible/group_vars/myservers.yml > > New Vault password: > Confirm New Vault password: > Encryption successful > > > > NOTE: You have to use this password with ansible ad hoc command. In my > case I used ‘test123’ as password. > > > 5). You will need to make inventory files for Ansible. An inventory file > lists hosts which you would like to manage and the groups they belong to. > I’ve created inventory file called ‘myhostfile’ > > > # vim /etc/ansible/myhostfile > [myserver] > localhost > > > > NOTE: Here ‘myserver’ is group name and I have only one host which is my > local machine. You need to change localhost to your target machine hostname > or IP address. If you closely notice my group name is ‘myserver’ and vault > file under group_vars directory also same. > > > 6). Now run your ansible ad hoc command. Here is one ad hoc command which > will create a file /tmp/hello on the target machine. > > > > # ansible -i /etc/ansible/myhostfile myservers -m file -a "dest=/tmp/hello > mode=755 state=directory" -u root --ask-vault-pass > > Vault password: > > localhost | SUCCESS => { > > "changed": false, > > "gid": 0, > > "group": "root", > > "mode": "0755", > > "owner": "root", > > "path": "/tmp/hello", > > "secontext": "unconfined_u:object_r:user_tmp_t:s0", > > "size": 6, > > "state": "directory", > > "uid": 0 > > } > > > > NOTE: I used —ask-vault-pass which will prompt you vault password. In my > case it is ‘test123’ which I used to decrypt the file. Please refer step 4. > > > You can also save the password in file and pass with --vault-password-file > > > > > Hope it help you. If you still have problem then you have to send more > details about what exactly you are doing. > > > > On Tuesday, October 30, 2018 at 11:39:52 AM UTC+5:30, Rajendra Rawat wrote: >> >> I have gone through the link shared by you but there is no where is it >> using the vault for ad hoc command. It is using it for playbook. >> >> Request you to please share a example of ping module as I did in >> my previous email that would be helpful understanding it. >> >> ad-hoc command: >> >> ansible <hostname> -m ping <what_next?> >> >> Please note sshkey is not setup on target host. >> >> >> Thanks & Regards >> >> Rajendra Rawat >> >> >> On Tue, 30 Oct 2018 at 08:21, Mohan L <[email protected]> wrote: >> >>> >>> You have to pass vault password to ansible command not vault file >>> itself. Vault file stores your secrets/variables in encrypted format and >>> vault password is used decrypt it. Pass vault password to ansible command. >>> >>> >>> You have read this doc: >>> https://docs.ansible.com/ansible/2.7/user_guide/vault.html >>> >>> Take a look at the below link as well: >>> >>> https://serversforhackers.com/c/how-ansible-vault-works >>> >>> >>> https://zaiste.net/ansible_vault_storing_sensitive_data_as_encrypted_variables/ >>> >>> >>> If your roles or playbooks reference encrypted variables, you need to >>> have give Ansible the password to decrypt them. Prior Ansible 2.4, You can >>> do this in two ways: >>> >>> >>> 1). Using the --ask-vault-pass flag will instruct Ansible to ask for the >>> vault password so it can decrypt the variable files correctly. >>> >>> >>> 2). Using —vault-password-file flag will instruct Ansible to reference >>> vault password from file. Ansible playbook use the password with in the >>> reference file to decrypt vault file. >>> >>> >>> Since Ansible 2.4, there is way to provide a vault password is to use >>> the --vault-id option as well. This allow vault files or vars that are >>> encrypted with different passwords can be used at the same time. If your >>> roles or playbooks reference encrypted variables, you need to have give >>> Ansible the password to decrypt them. Prior Ansible 2.4, You can do this in >>> two ways: >>> >>> >>> 1). Using the --ask-vault-pass flag will instruct Ansible to ask for the >>> vault password so it can decrypt the variable files correctly. >>> >>> >>> 2). Using —vault-password-file flag will instruct Ansible to reference >>> vault password from file. Ansible playbook use the password with in the >>> reference file to decrypt vault file. >>> >>> >>> Since Ansible 2.4, there is way to provide a vault password is to use >>> the --vault-id option as well. This allow vault files or vars that are >>> encrypted with different passwords can be used at the same time. That what >>> Andrew was mentioned on his post. >>> >>> >>> >>> >>> >>> On Tuesday, October 30, 2018 at 1:04:03 AM UTC+5:30, Rajendra Rawat >>> wrote: >>>> >>>> Hi Mohan, >>>> >>>> I tried running ad-hoc command as you suggested but it is not working >>>> >>>> ansible <target_hostname> -m ping -u <targer_vm_username> >>>> --vault-password-file <secret_file> >>>> >>>> where "secret_file" was created with password of <targer_vm_username> >>>> ansible-vault create secret_file >>>> cat secret_file >>>> <password> >>>> >>>> Output: >>>> [WARNING]: Error in vault password file loading (default): A vault >>>> password must be specified to decrypt data >>>> ERROR! A vault password must be specified to decrypt data >>>> >>>> Am i doing something wrong? >>>> >>>> >>>> Thanks & Regards >>>> >>>> Rajendra Rawat >>>> >>>> >>>> On Mon, 29 Oct 2018 at 21:19, Mohan L <[email protected]> wrote: >>>> >>>>> Do you have any problem using vault with ad-hoc?? >>>>> >>>>> Here is a example of how it works. >>>>> >>>>> I have a vault secret file under group_vars like below. You have to >>>>> use ansible-vault create. >>>>> >>>>> # ansible-vault view group_vars/myserver.yml >>>>> >>>>> Vault password: >>>>> >>>>> --- >>>>> >>>>> ansible_user: root >>>>> >>>>> ansible_ssh_pass: password1 >>>>> >>>>> >>>>> I have my vault password stored in file which look like below: >>>>> >>>>> # cat vault_key >>>>> >>>>> myvault@pass >>>>> >>>>> >>>>> I am using ad-hoc command like below and it works. What is your >>>>> problem? >>>>> >>>>> # ansible myserver -m file -a "dest=/tmp/hello mode=755 >>>>> state=directory" -u root --vault-password-file vault_key >>>>> >>>>> localhost | SUCCESS => { >>>>> >>>>> "changed": false, >>>>> >>>>> "gid": 0, >>>>> >>>>> "group": "root", >>>>> >>>>> "mode": "0755", >>>>> >>>>> "owner": "root", >>>>> >>>>> "path": "/tmp/hello", >>>>> >>>>> "secontext": "unconfined_u:object_r:user_tmp_t:s0", >>>>> >>>>> "size": 6, >>>>> >>>>> "state": "directory", >>>>> >>>>> "uid": 0 >>>>> >>>>> } >>>>> >>>>> >>>>> Thanks >>>>> Mohan L >>>>> >>>>> >>>>> >>>>> On Monday, October 29, 2018 at 6:30:56 PM UTC+5:30, Rajendra Rawat >>>>> wrote: >>>>>> >>>>>> Hi All, >>>>>> >>>>>> Is it possible to use ansible-vault with ad-hoc commands. >>>>>> Use case: I have not setup ssh key and I want to use ping module on >>>>>> target machine. >>>>>> >>>>>> normal way if we have setup sshkey or pass the text password >>>>>> 1: ansible <target_hostname> -m ping [if ssh key configured] >>>>>> 2: ansible <target_hostname> -m ping --extra-vars >>>>>> "ansible_user=<username> ansible_password=<password>" >>>>>> >>>>>> But I want to do this with ansible-vault. >>>>>> Is it possible ? any help would be appreciated. >>>>>> >>>>>> Thanks & Regards >>>>>> >>>>>> Rajendra Rawat >>>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Ansible Project" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To post to this group, send email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/ansible-project/7f859c16-ee20-42fc-9ec4-fa57befbff92%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/ansible-project/7f859c16-ee20-42fc-9ec4-fa57befbff92%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/39ba802f-c34d-4a70-b5a1-9e21f8e883d3%40googlegroups.com >>> <https://groups.google.com/d/msgid/ansible-project/39ba802f-c34d-4a70-b5a1-9e21f8e883d3%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/ff338a3b-83d4-4318-898a-f0dfaa7a5f0f%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/ff338a3b-83d4-4318-898a-f0dfaa7a5f0f%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAGvnwVHufN3pijpm3%2BavMC%2BZLgif%3DRZ9kg1c1ragv8QTwyn%2BpA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
