How To Use Ansible Vault to Protect Sensitive info

2024-01-16 15:35:19
ansible Vault介绍和环境准备

Ansible Vault是一种机制,允许将加密内容透明地纳入Ansible工作流程中。

ansible-vault的实用工具通过在磁盘上对机密数据进行加密来保护这些秘密。

为了将这些秘密与常规的Ansible数据集成在一起,ansible和ansible-playbook命令都支持在运行时解密vault加密的内容,用于执行临时任务和结构化的playbook。

Vault以文件级粒度实现,这意味着单个文件可以是加密的或未加密的。

它使用AES256算法提供对称加密,以用户提供的密码作为密钥。

这意味着相同的密码用于加密和解密内容,这有助于提高可用性。在执行playbook或任务时,Ansible能够识别和解密任何它发现的vault加密文件。

用ansible-valut管理敏感文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#设置编辑环境 ~/.bashrc
> echo $EDITOR
/usr/bin/vim

#建立加密文件,并输入密码
> ansible-vault create valut.yml
New Vault password: 
Confirm New Vault password: 

#这里我们在value.yml输入点内容,在关闭文件后,我们会发现
> cat valut.yml 
$ANSIBLE_VAULT;1.1;AES256
32613365303534366262393732313766626262323132643935653837616261666236386163393339
6366616264643365313566396162303162376132653639620a616166646131386638316264303432
38636237646535363064383036616232366433356437613532393037373636333735303833393938
6134656339623734380a303239623836366662313839656239313031663131303738383665306566
3964

#加密已经存在的文件

> echo 'some user info' > encrypt.txt
> ansible-vault encrypt encrypt.txt  
New Vault password: 
Confirm New Vault password: 
Encryption successful

> cat encrypt.txt 
$ANSIBLE_VAULT;1.1;AES256
30666265383539646530393534373333633133373661373435306465636561656661646139636561
6134383833373333336135373638623631383662363062370a653937626664396164383164316261
61623361336331636133363062393662396533386636353931616630323731353235373566316166
3733316462343961650a646132653838623138333832326230373337376465633738633435626534
3038

#查看已经加密的文件
ansible-vault view vault.yml
#编辑已经加密的文件
ansible-vault edit vault.yml
#解密已经加密的文件
ansible-vault decrypt vault.yml
#改变加密的密码
ansible-vault rekey encrypt.txt
交互运行Vault-Encrypted 文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

#交互运行
ansible --ask-vault-pass -bK -m copy -a 'src=secret_key dest=/tmp/secret_key mode=0600 owner=root group=root' localhost

BECOME password:
Vault password:

localhost | SUCCESS => {
    "changed": true, 
    "checksum": "7a2eb5528c44877da9b0250710cba321bc6dac2d", 
    "dest": "/tmp/secret_key", 
    "gid": 0, 
    "group": "root", 
    "md5sum": "270ac7da333dd1db7d5f7d8307bd6b41", 
    "mode": "0600", 
    "owner": "root", 
    "size": 18, 
    "src": "/home/sammy/.ansible/tmp/ansible-tmp-1480978964.81-196645606972905/source", 
    "state": "file", 
    "uid": 0
}
非交互运行Vault-Encrypted 文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#建立.vault_pass文件,记住不要纳入版本管理

echo 'my_vault_password' > .vault_pass

echo '.vault_pass' >> .gitignore

ansible --vault-password-file=.vault_pass -bK -m copy -a 'src=secret_key dest=/tmp/secret_key mode=0600 owner=root group=root' localhost

localhost | SUCCESS => {
    "changed": false,
    "checksum": "52d7a243aea83e6b0e478db55a2554a8530358b0",
    "dest": "/tmp/secret_key",
    "gid": 80,
    "group": "root",
    "mode": "0600",
    "owner": "root",
    "path": "/tmp/secret_key",
    "size": 8,
    "state": "file",
    "uid": 0
}
自动读取Vault-Encrypted 文件
1
2
3
4
5
6
7
8
9
export ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass

ansible -bK -m copy -a 'src=secret_key dest=/tmp/secret_key mode=0600 owner=root group=root' localhost

vi ansible.cfg

[defaults]
. . .
vault_password_file = ./.vault_pass
从环境变量读取Vault-Encrypted 文件
1
2
3
4
5
6
7
8
9
10
11
vi .vault_pass

#!/usr/bin/env python3

import os
print os.environ['VAULT_PASSWORD']


chmod +x .vault_pass

export VAULT_PASSWORD=my_vault_password

参照文档