It's a lot easier if you just encrypt the value and not the whole file so
you can find where a variable is defined.
For example
ansible-vault encrypt_string --vault-id dev@password 'foooodev' --name
'the_dev_secret'
Result:
the_dev_secret: !vault |
$ANSIBLE_VAULT;1.2;AES256;dev
30613233633461343837653833666333643061636561303338373661313838333565653635353162
3263363434623733343538653462613064333634333464660a663633623939393439316636633863
61636237636537333938306331383339353265363239643939666639386530626330633337633833
6664656334373166630a363736393262666465663432613932613036303963343263623137386239
6330
https://docs.ansible.com/ansible/latest/user_guide/vault.html
However if you must encrypt the whole file,
You can do the following
1) create group_vars/all.yml and put the following
ansible_user: someguy
ansible_password: "{{ vault_ansible_password }}"
2) create group_vars/vault.yml with the encrypted value of
vault_ansible_password
Then you should be able to run
ansible-playbook ./get_user_info.yml -i some_inventory
On Thursday, January 17, 2019 at 8:35:12 AM UTC-8, John Harmon wrote:
>
>
> I wouldn't be surprised if I am using this incorrectly, but I could use
> some outside input. Consider the following tree (not in a role):
> .
> ├── get_user_info.yml
> └── vault.yml
>
> vault.yml contents:
> ---
> ansible_user: someguy
> ansible_password: SecretPassword
>
> get_user_info.yml contents:
> ---
> - hosts: "{{ host }}"
> gather_facts: false
> vars_files:
> - vault.yml
> tasks:
> - name: "Gather info for user {{ user }}"
> win_domain_user:
> name: "{{ user }}"
> state: query
> register:
> aduser
>
> ...debug stuff here...
>
>
> *Q1: I had to use vars_files to get the variables read in. Is that
> normal? Otherwise, my ansible_user kept defaulting to "NONE" when
> executing (as seen under debug level 4)*
>
> I execute the playbook as follows (which works) but get an error toward
> the end (in the play recap):
> ansible-playbook ./get_user_info.yml --vault-id @prompt vault.yml -i /etc/
> ansible/inventory/windows -e user=someuser-e host=myserver
>
> Output:
> Vault password (default):
>
> PLAY [myserver]
> *****************************************************************************************************************************************************************************************************************************
>
> TASK [Gather info for user someuser]
> ******************************************************************************************************************************************************************************************************
> ok: [myserver]
>
> TASK [debug]
> *****************************************************************************************************************************************************************************************************************************
> ... a bunch of output here for someuser ...
>
> PLAY RECAP
> *******************************************************************************************************************************************************************************************************************************
> myserver : ok=4 changed=0 unreachable=0
> failed=0
>
> ERROR! playbooks must be a list of plays
>
> The error appears to have been in
> '/etc/ansible/tower/remove_user/vault.yml': line 2, column 1, but may
> be elsewhere in the file depending on the exact syntax problem.
>
> The offending line appears to be:
>
> $ANSIBLE_VAULT;1.1;AES256
>
> 63386238333136363662343339353362326564386230393766646263386639393838366433336261
> ^ here
>
> *Q2: If I am not using vault correctly, can someone please correct me?*
> *Q3: I don't understand why I am encountering the error in the play
> recap. Can somebody explain that to me?*
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/7c9dea18-7aef-4345-bdfa-03107b14dfd7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
