Re: [ansible-project] Re: ansible vault with ad hoc command line

[Mohan L]

You can create a directory called 'all' under your playbook group_vars 
directory and use 'all' in your ad hoc command. This way the variables 
applied to all the host defined in myhostfile in my example. 

# tree -L 3 /etc/ansible/group_vars

/etc/ansible/group_vars

`-- all

    `-- secrets.yml


# ansible -i /etc/ansible/myhostfile all -m file -a "dest=/tmp/hello 
mode=755 state=directory" -u root --ask-vault-pass

Vault password: 

localhost | SUCCESS => {

    "changed": false, 

    "gid": 0, 

    "group": "root", 

    "mode": "0755", 

    "owner": "root", 

    "path": "/tmp/hello", 

    "secontext": "unconfined_u:object_r:user_tmp_t:s0", 

    "size": 6, 

    "state": "directory", 

    "uid": 0

}


Have a look at ansible inventory:

https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html

*https://www.digitalocean.com/community/tutorials/how-to-manage-multistage-environments-with-ansible#ansible-recommended-strategy-using-groups-and-multiple-inventories*



On Wednesday, October 31, 2018 at 11:52:29 AM UTC+5:30, Rajendra Rawat 
wrote:
>
> It is working for me now. thanks for the explaining it in detailed.
> it is working for for me after creating the group into 
> /etc/ansible/group_var
>
> I have a doubt, can we achieve the same functionality without creating 
> vault file with same group name which we given in inventory file into  
> /etc/ansible/group_var/?
>   
>
> Thanks & Regards
>
> Rajendra Rawat
>
>
> On Tue, 30 Oct 2018 at 17:06, Mohan L <thefo...@gmail.com <javascript:>> 
> wrote:
>
>>
>>
>> I have already given you example. You can see If you closely read my 
>> first replay to this thread. Ansible vault works the same way for both 
>> ansible-playbook and ansible command. What ever documented for 
>> ansible-playbook also work with ansible ad hoc if you use vault. You have 
>> spend some time to learn it. Every thing documented well.
>>
>> Here is the step by step example:
>>
>> 1). Create a directory group_vars
>>
>>
>> # mkdir -p /etc/ansible/group_vars
>>
>>
>> 2). Create a variable file with your server user name and password. 
>> Please note this is the username and password which your ansible ad hoc 
>> command going to use to login to your target machine.
>>
>>
>> # vim /etc/ansible/group_vars/myservers.yml
>>
>>
>> ---
>> ansible_user: root 
>> ansible_ssh_pass: toor
>>
>>
>> Save the file with above two variables. You have to change your target 
>> machine username and password.
>>
>>
>> 3). My sample file looks like below after step 2.
>>
>>
>> # cat /etc/ansible/group_vars/myservers.yml 
>> --- 
>> ansible_user: root 
>> ansible_ssh_pass: toor 
>>
>>
>>
>>
>> 4).  *Encrypt the */etc/ansible/group_vars/myservers.yml  file. 
>> The ansible-vault command will prompt you for a password twice (a second 
>> time to confirm the first). Once that's done, the file will be encrypted! 
>> If you edit the file directly, you'll just see encrypted text.
>>
>>
>> # ansible-vault encrypt /etc/ansible/group_vars/myservers.yml 
>>
>> New Vault password:  
>> Confirm New Vault password:  
>> Encryption successful
>>
>>
>>
>> NOTE: You have to use this password with ansible ad hoc command. In my 
>> case I used ‘test123’ as password.
>>
>>
>> 5). You will need to make inventory files for Ansible. An inventory file 
>> lists hosts which you would like to manage and the groups they belong to. 
>> I’ve created inventory file called ‘myhostfile’
>>
>>
>> # vim /etc/ansible/myhostfile
>> [myserver] 
>> localhost
>>
>>
>>
>> NOTE: Here ‘myserver’ is group name and I have only one host which is my 
>> local machine. You need to change localhost to your target machine hostname 
>> or IP address. If you closely notice my group name is ‘myserver’ and vault 
>> file under group_vars directory also same. 
>>
>>
>> 6). Now run your ansible ad hoc command. Here is one ad hoc command which 
>> will create a file /tmp/hello on the target machine.
>>
>>
>>
>> # ansible -i /etc/ansible/myhostfile myservers -m file -a 
>> "dest=/tmp/hello mode=755 state=directory" -u root --ask-vault-pass
>>
>> Vault password:  
>>
>> localhost | SUCCESS => { 
>>
>>     "changed": false,  
>>
>>     "gid": 0,  
>>
>>     "group": "root",  
>>
>>     "mode": "0755",  
>>
>>     "owner": "root",  
>>
>>     "path": "/tmp/hello",  
>>
>>     "secontext": "unconfined_u:object_r:user_tmp_t:s0",  
>>
>>     "size": 6,  
>>
>>     "state": "directory",  
>>
>>     "uid": 0 
>>
>> }
>>
>>
>>
>> NOTE: I used —ask-vault-pass which will prompt you vault password. In my 
>> case it is ‘test123’ which I used to decrypt the file. Please refer step 4.
>>
>>
>> You can also save the password in file and pass with --vault
>> -password-file
>>
>>
>>
>>
>> Hope it help you. If you still have problem then you have to send more 
>> details about what exactly you are doing.
>>
>>
>>
>> On Tuesday, October 30, 2018 at 11:39:52 AM UTC+5:30, Rajendra Rawat 
>> wrote:
>>>
>>> I have gone through the link shared by you but there is no where is it 
>>> using the vault for ad hoc command. It is using it for playbook.
>>>
>>> Request you to please share a example of ping module as I did in 
>>> my previous email that would be helpful understanding it.
>>>
>>> ad-hoc command:
>>>
>>> ansible <hostname> -m ping <what_next?>
>>>
>>> Please note sshkey is not setup on target host.
>>>
>>>
>>> Thanks & Regards
>>>
>>> Rajendra Rawat
>>>
>>>
>>> On Tue, 30 Oct 2018 at 08:21, Mohan L <thefo...@gmail.com> wrote:
>>>
>>>>
>>>> You have to pass vault password to ansible command not vault file 
>>>> itself. Vault file stores your secrets/variables in encrypted format and 
>>>> vault password is used decrypt it. Pass vault password to ansible command.
>>>>
>>>>
>>>> You have read this doc: 
>>>> https://docs.ansible.com/ansible/2.7/user_guide/vault.html
>>>>
>>>> Take a look at the below link as well:
>>>>
>>>> https://serversforhackers.com/c/how-ansible-vault-works
>>>>
>>>>
>>>> https://zaiste.net/ansible_vault_storing_sensitive_data_as_encrypted_variables/
>>>>
>>>>
>>>> If your roles or playbooks reference encrypted variables, you need to 
>>>> have give Ansible the password to decrypt them. Prior Ansible 2.4, You can 
>>>> do this in two ways:
>>>>
>>>>
>>>> 1). Using the --ask-vault-pass flag will instruct Ansible to ask for 
>>>> the vault password so it can decrypt the variable files correctly.
>>>>
>>>>
>>>> 2). Using —vault-password-file flag will instruct Ansible to reference 
>>>> vault password from file. Ansible playbook use the password with in the 
>>>> reference file to decrypt  vault file.
>>>>
>>>>
>>>> Since Ansible 2.4, there is way to provide a vault password is to use 
>>>> the --vault-id option as well.  This allow vault files or vars that 
>>>> are encrypted with different passwords can be used at the same time. If 
>>>> your roles or playbooks reference encrypted variables, you need to have 
>>>> give Ansible the password to decrypt them. Prior Ansible 2.4, You can do 
>>>> this in two ways:
>>>>
>>>>
>>>> 1). Using the --ask-vault-pass flag will instruct Ansible to ask for 
>>>> the vault password so it can decrypt the variable files correctly.
>>>>
>>>>
>>>> 2). Using —vault-password-file flag will instruct Ansible to reference 
>>>> vault password from file. Ansible playbook use the password with in the 
>>>> reference file to decrypt  vault file.
>>>>
>>>>
>>>> Since Ansible 2.4, there is way to provide a vault password is to use 
>>>> the --vault-id option as well.  This allow vault files or vars that 
>>>> are encrypted with different passwords can be used at the same time.  That 
>>>> what Andrew was mentioned on his post. 
>>>>
>>>>
>>>>  
>>>>
>>>>
>>>> On Tuesday, October 30, 2018 at 1:04:03 AM UTC+5:30, Rajendra Rawat 
>>>> wrote:
>>>>>
>>>>> Hi Mohan,
>>>>>
>>>>> I tried running ad-hoc command as you suggested but it is not working
>>>>>
>>>>> ansible <target_hostname> -m ping -u <targer_vm_username>  
>>>>> --vault-password-file <secret_file>
>>>>>
>>>>> where "secret_file" was created with password of <targer_vm_username>
>>>>> ansible-vault create secret_file
>>>>> cat secret_file
>>>>> <password>
>>>>>
>>>>> Output:
>>>>>  [WARNING]: Error in vault password file loading (default): A vault 
>>>>> password must be specified to decrypt data
>>>>> ERROR! A vault password must be specified to decrypt data
>>>>>
>>>>> Am i doing something wrong?
>>>>>
>>>>>
>>>>> Thanks & Regards
>>>>>
>>>>> Rajendra Rawat
>>>>>
>>>>>
>>>>> On Mon, 29 Oct 2018 at 21:19, Mohan L <thefo...@gmail.com> wrote:
>>>>>
>>>>>> Do you have any problem using vault with ad-hoc??
>>>>>>
>>>>>> Here is a example of how it works.
>>>>>>
>>>>>> I have a vault secret file under group_vars like below. You have to 
>>>>>> use ansible-vault create.
>>>>>>
>>>>>> # ansible-vault view group_vars/myserver.yml 
>>>>>>
>>>>>> Vault password: 
>>>>>>
>>>>>> ---
>>>>>>
>>>>>> ansible_user: root
>>>>>>
>>>>>> ansible_ssh_pass: password1
>>>>>>
>>>>>>
>>>>>> I have my vault password stored in file which look like below:
>>>>>>
>>>>>> # cat vault_key 
>>>>>>
>>>>>> myvault@pass
>>>>>>
>>>>>>
>>>>>> I am using ad-hoc command like below and it works. What is your 
>>>>>> problem?
>>>>>>
>>>>>> # ansible myserver -m file -a "dest=/tmp/hello mode=755 
>>>>>> state=directory" -u root --vault-password-file vault_key 
>>>>>>
>>>>>> localhost | SUCCESS => {
>>>>>>
>>>>>>     "changed": false, 
>>>>>>
>>>>>>     "gid": 0, 
>>>>>>
>>>>>>     "group": "root", 
>>>>>>
>>>>>>     "mode": "0755", 
>>>>>>
>>>>>>     "owner": "root", 
>>>>>>
>>>>>>     "path": "/tmp/hello", 
>>>>>>
>>>>>>     "secontext": "unconfined_u:object_r:user_tmp_t:s0", 
>>>>>>
>>>>>>     "size": 6, 
>>>>>>
>>>>>>     "state": "directory", 
>>>>>>
>>>>>>     "uid": 0
>>>>>>
>>>>>> }
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>> Mohan L
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Monday, October 29, 2018 at 6:30:56 PM UTC+5:30, Rajendra Rawat 
>>>>>> wrote:
>>>>>>>
>>>>>>> Hi All,
>>>>>>>
>>>>>>> Is it possible to use ansible-vault with ad-hoc commands.
>>>>>>> Use case: I have not setup ssh key and I want to use ping module on 
>>>>>>> target machine.
>>>>>>>
>>>>>>> normal way if we have setup sshkey or pass the text password
>>>>>>> 1: ansible <target_hostname> -m ping [if ssh key configured]
>>>>>>> 2: ansible <target_hostname> -m ping --extra-vars 
>>>>>>> "ansible_user=<username> ansible_password=<password>"
>>>>>>>
>>>>>>> But I want to do this with ansible-vault.
>>>>>>> Is it possible ? any help would be appreciated.
>>>>>>>
>>>>>>> Thanks & Regards
>>>>>>>
>>>>>>> Rajendra Rawat
>>>>>>>
>>>>>> -- 
>>>>>> You received this message because you are subscribed to the Google 
>>>>>> Groups "Ansible Project" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it, 
>>>>>> send an email to ansible-proje...@googlegroups.com.
>>>>>> To post to this group, send email to ansible...@googlegroups.com.
>>>>>> To view this discussion on the web visit 
>>>>>> https://groups.google.com/d/msgid/ansible-project/7f859c16-ee20-42fc-9ec4-fa57befbff92%40googlegroups.com
>>>>>>  
>>>>>> <https://groups.google.com/d/msgid/ansible-project/7f859c16-ee20-42fc-9ec4-fa57befbff92%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>> .
>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>
>>>>> -- 
>>>> You received this message because you are subscribed to the Google 
>>>> Groups "Ansible Project" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>> an email to ansible-proje...@googlegroups.com.
>>>> To post to this group, send email to ansible...@googlegroups.com.
>>>> To view this discussion on the web visit 
>>>> https://groups.google.com/d/msgid/ansible-project/39ba802f-c34d-4a70-b5a1-9e21f8e883d3%40googlegroups.com
>>>>  
>>>> <https://groups.google.com/d/msgid/ansible-project/39ba802f-c34d-4a70-b5a1-9e21f8e883d3%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ansible-proje...@googlegroups.com <javascript:>.
>> To post to this group, send email to ansible...@googlegroups.com 
>> <javascript:>.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ansible-project/ff338a3b-83d4-4318-898a-f0dfaa7a5f0f%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/ansible-project/ff338a3b-83d4-4318-898a-f0dfaa7a5f0f%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/36f52063-8209-498a-a8e8-73d9ab2128e5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.