On Tue, 16 Mar 2021 17:17:44 -0700 (PDT) "[email protected]" <[email protected]> wrote:
> ... inject an 'ansible vault' password during a play.
FWIW, below is the scenario how to put the vault password into a file
only when you need it. Given the vault password is stored in
*passwordstore*, create two templates, e.g.
shell> cat dummy_vault_passwd.j2
dummy_vault_passwd
shell> cat my_vault_passwd.j2
{{ lookup('passwordstore', 'vault/admin') }}
and configure *vault_password_file*
shell> grep vault ansible.cfg
vault_password_file = $PWD/my_vault_passwd
Create "dummy" file $PWD/my_vault_passwd
shell> cat my_vault_passwd
dummy_vault_passwd
Then the playbook below put the vault password into the file only in
the section when it is needed
- hosts: localhost
tasks:
- template:
dest: "{{ playbook_dir }}/my_vault_passwd"
src: my_vault_passwd.j2
mode: "0600"
- include_vars: vault.yml
- template:
dest: "{{ playbook_dir }}/my_vault_passwd"
src: dummy_vault_passwd.j2
mode: "0600"
--
Vladimir Botka
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/20210317112655.3efd4b40%40gmail.com.
pgpoOEv7UmOyO.pgp
Description: OpenPGP digital signature
