Ansible管理机密

ansible-vault

 ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml]

create:创建
edit:编辑
encrypt:加密
decrypt:解密
view:查看
rekey:重新该秘钥

1.创建加密文件

[devops@workstation ansible]$ ansible-vault create file
New Vault password: 
Confirm New Vault password: 
内容：
username: tom
password: 123456

2.查看加密文件

[devops@workstation ansible]$ ansible-vault view file
Vault password: 
username: tom
password: 123456

免密码

[devops@workstation ansible]$ echo 123456 > pass
[devops@workstation ansible]$ ansible-vault view file --vault-password-file=pass
username: tom
password: 123456

3.编辑加密文件

[devops@workstation ansible]$ ansible-vault edit file --vault-password-file=pass

4.重置密码

[devops@workstation ansible]$ ansible-vault rekey file
Vault password: 
New Vault password: 
Confirm New Vault password: 
Rekey successful

5.解密文件

[devops@workstation ansible]$ ansible-vault decrypt file
Vault password: 
Decryption successful

6.加密文件

[devops@workstation ansible]$ ansible-vault encrypt file
New Vault password: 
Confirm New Vault password: 
Encryption successful

用剧本编写：

创建一个user.yml的变量文件

vim user.yml
username: "user1"
pwhash: "$6$jr39DOUiE77Mrh58$DDlfYyT6xT47f5Ld5bJS"

加密上面创建的变量文件

[devops@workstation ansible]$ ansible-vault encrypt user.yml
New Vault password: 
Confirm New Vault password: 
Encryption successful

编写playbook文件如下

[devops@workstation ansible]$ vim lab4.yml
---
- hosts: dev
  vars_files:
    - user.yml
  tasks:
    - name: create user from user.yml
      user:
        name: "{{ username }}"
        password: "{{ pwhash }}"

运行如下：

[devops@workstation ansible]$ ansible-playbook lab4.yml --ask-vault-pass