Ansible管理机密
ansible-vault
ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml]
create:创建
edit:编辑
encrypt:加密
decrypt:解密
view:查看
rekey:重新该秘钥
1.创建加密文件
[devops@workstation ansible]$ ansible-vault create file
New Vault password:
Confirm New Vault password:
内容:
username: tom
password: 123456
2.查看加密文件
[devops@workstation ansible]$ ansible-vault view file
Vault password:
username: tom
password: 123456
免密码
[devops@workstation ansible]$ echo 123456 > pass
[devops@workstation ansible]$ ansible-vault view file --vault-password-file=pass
username: tom
password: 123456
3.编辑加密文件
[devops@workstation ansible]$ ansible-vault edit file --vault-password-file=pass
4.重置密码
[devops@workstation ansible]$ ansible-vault rekey file
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful
5.解密文件
[devops@workstation ansible]$ ansible-vault decrypt file
Vault password:
Decryption successful
6.加密文件
[devops@workstation ansible]$ ansible-vault encrypt file
New Vault password:
Confirm New Vault password:
Encryption successful
用剧本编写:
创建一个user.yml的变量文件
vim user.yml
username: "user1"
pwhash: "$6$jr39DOUiE77Mrh58$DDlfYyT6xT47f5Ld5bJS"
加密上面创建的变量文件
[devops@workstation ansible]$ ansible-vault encrypt user.yml
New Vault password:
Confirm New Vault password:
Encryption successful
编写playbook文件如下
[devops@workstation ansible]$ vim lab4.yml
---
- hosts: dev
vars_files:
- user.yml
tasks:
- name: create user from user.yml
user:
name: "{{ username }}"
password: "{{ pwhash }}"
运行如下:
[devops@workstation ansible]$ ansible-playbook lab4.yml --ask-vault-pass