Search code examples
ansibleansible-vault

Usage of VAULT_PASSWORD in playbook

Considering the following test playbook vault.yaml, with one Ansible Vault encrypted variable:

---
- name: Ansible Vault
  hosts: localhost
  connection: local
  gather_facts: false
  vars_prompt:
    - name: playbook_action
      prompt: "Select an action to perform:\n
        1) List encrypted variables\n
        2) Update global password\n"
      private: false
  tasks:
    - name: Encrypted Variables
      when: playbook_action in ['1', '1)']
      block:
        - name: Set encrypted variables fact
          ansible.builtin.set_fact:
            encrypted_variables:
              - ansible_password: '{{ ansible_password }}'
          no_log: true

        - name: List encrypted variables
          ansible.builtin.debug:
            var: encrypted_variables

    - name: Global Password
      when: playbook_action in ['2', '2)']
      block:
        - name: Set new global password
          ansible.builtin.pause:
            prompt: Password
            echo: false
          register: password

        - name: Update global password
          ansible.builtin.command:
            cmd: ansible-vault encrypt_string {{ item | quote }}  -n {{ item | quote }}
          environment:
            VAULT_PASSWORD: '{{ password.user_input }}'
          loop:
            - ansible_password
          register: encrypted_variables
          changed_when: true
          no_log: true

        - name: List encrypted variables
          ansible.builtin.debug:
            var: encrypted_variables.results | map(attribute = 'stdout')

While running:

ansible-playbook --ask-vault-pass vault.yaml
Vault password:
Select an action to perform:
 1) List encrypted variables
 2) Update global password
: 2

I would expect the playbook to make use of the defined environment VAULT_PASSWORD variable. Instead, I'm prompted to enter a new Vault password, for each variable I want to encrypt. The goal is to define once the new Vault password and use it implicitly into loop.

Edit: the only way I managed to address the issue was by creating a temporary password file:

        - name: Create password file
          ansible.builtin.lineinfile:
            line: '{{ password.user_input }}'
            path: ./password
            mode: '0644'
            create: true

        - name: Update global password
          ansible.builtin.command:
            cmd: ansible-vault encrypt_string {{ item | quote }}  -n {{ item | quote }} --vault-pass-file ./password
          loop:
            - ansible_password
          register: encrypted_variables
          changed_when: true
          no_log: true

        - name: Delete password file
          ansible.builtin.file:
            path: ./password
            state: absent

I would still prefer to use the VAULT_PASSWORD environment variable defined into task.

Solution

  • I would expect the playbook to make use of the defined environment VAULT_PASSWORD variable.

    Which is not possible by design: this variable is not used by Ansible so I'm not sure what is your expectation based upon. Generally, you have to either provide the password on prompt with --ask-vault-password, or define the location of the password file like you do in the second example (or using the ANSIBLE_VAULT_PASSWORD_FILE environment variable as per the documentation link above).