Ansible provides a convenient solution to encrypt sensitive data such as passwords, secrets, etc. -
Ansible Vault.
This post shows how to use the ansible vault from
Fabric.
First you would think why ? First I thought is a crazy idea :) however since I've been using Fabric and Ansible for a long while
I said why not - they are both written in python right ?!.
So how to use it, you need to have installed Fabric and Ansible obviously.
Create a
fabfile at the top import a few Ansible modules
from ansible.cli import CLI
from ansible.parsing.vault import VaultLib
from ansible.parsing.dataloader import DataLoader
import yaml
import os
This allows to interface with the
VaultLib which in turns will unencrypt the vault.
And this is how you use them from a function
def gef_vault_data(vault_pass_file, vault_file):
secrets = CLI.setup_vault_secrets(
DataLoader(),
vault_ids=[],
vault_password_files=[vault_pass_file])
v = VaultLib(secrets=secrets)
data = v.decrypt(open(vault_file, 'rb').read())
return yaml.load(data)
# in case you keep the password file into your home directory - adjust as required
HOME = os.environ.get("HOME")
VAULT_PASSWORD_FILE = os.path.join(HOME, ".ansible/vault_password_file")
my_vault = get_vault_data(VAULT_PASSWORD_FILE, "/etc/ansible/vault.yml")
print(my_vault) # this is the data from the encrypted Ansible vault.
0 comments:
Post a Comment