Ansible-vault管理机密
- 前言
- 一、获取Ansible-vault 命令帮助
- 二、创建加密文件
- 三、解密密码文件
- 四、加密密码文件
- 五、查看密码文件
- 六、编辑密码文件
- 七、更改密码文件的密码
前言
管理加密/解密yml(palybook)文件工具
有时编写的playbook文件中会存在重要信息,考虑到安全,可以使用此工具进行加密
提示:本篇文章所使用的环境为centos-8.2基于ansible-2.8.0 搭建
具体环境搭建,请参考:ansible-2.8.0 搭建链接
一、获取Ansible-vault 命令帮助
- Ansible-vault 命令帮助
[root@ansible-server ansible]# ansible-vault --help
usage: ansible-vault [-h] [--version] [-v]
{create,decrypt,edit,view,encrypt,encrypt_string,rekey}
...
encryption/decryption utility for Ansible data files
positional arguments:
{create,decrypt,edit,view,encrypt,encrypt_string,rekey}
create Create new vault encrypted file
decrypt Decrypt vault encrypted file
edit Edit vault encrypted file
view View vault encrypted file
encrypt Encrypt YAML file
encrypt_string Encrypt a string
rekey Re-key a vault encrypted file
optional arguments:
--version show program's version number, config file location,
configured module search path, module location,
executable location and exit
-h, --help show this help message and exit
-v, --verbose verbose mode (-vvv for more, -vvvv to enable
connection debugging)
See 'ansible-vault <command> --help' for more information on a specific
command.
- create 功能的命令帮助
[root@ansible-server ansible]# ansible-vault create --help
usage: ansible-vault create [-h] [--encrypt-vault-id ENCRYPT_VAULT_ID]
[--vault-id VAULT_IDS]
[--ask-vault-pass | --vault-password-file VAULT_PASSWORD_FILES]
[-v]
[file_name [file_name ...]]
positional arguments:
file_name Filename
optional arguments:
-h, --help show this help message and exit
--encrypt-vault-id ENCRYPT_VAULT_ID
the vault id used to encrypt (required if more than
vault-id is provided)
--vault-id VAULT_IDS the vault identity to use
--ask-vault-pass ask for vault password
--vault-password-file VAULT_PASSWORD_FILES
vault password file
-v, --verbose verbose mode (-vvv for more, -vvvv to enable
connection debugging)
二、创建加密文件
[root@ansible-server ansible]# ansible-vault create user_file
New Vault password:
Confirm New Vault password:
user_name: bob
[root@ansible-server ansible]# cat user_file
$ANSIBLE_VAULT;1.1;AES256
39303734363366613735306537356562346330666431353263383030393663313638346339626232
6534366330323163353431326561303066623132623365310a326331626362623739343163636435
64656538346261636133373037303838633931313334313838666462336432616561366138393961
3234643064396561640a643937383537613862633839353064363231376339333138376532356534
3135
#编辑playbook
[root@ansible-server ansible]# vim add_user.yml
---
- hosts: all
vars_files:
user_file
tasks:
- name: create user
user:
name: '{{ user_name }}'
state: present
#执行playbook
[root@ansible-server ansible]# ansible-playbook add_user.yml --ask-vault-pass
Vault password:
PLAY [all] *********************************************************************************************************
TASK [Gathering Facts] *********************************************************************************************
ok: [node02]
ok: [node03]
ok: [node04]
ok: [node01]
TASK [create user] *************************************************************************************************
ok: [node02]
ok: [node01]
ok: [node04]
ok: [node03]
PLAY RECAP *********************************************************************************************************
node01 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node02 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node03 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node04 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
##另外,还可以创建密码文件,用于playbook的执行和用户文件的查看、编辑以及更改
#常见密码文件
[root@ansible-server ansible]# echo '123' > passwdfile
#执行playbook
[root@ansible-server ansible]# ansible-playbook add_user.yml --vault-password-file passwdfile
PLAY [all] *********************************************************************************************************
TASK [Gathering Facts] *********************************************************************************************
ok: [node01]
ok: [node02]
ok: [node03]
ok: [node04]
TASK [create user] *************************************************************************************************
ok: [node01]
ok: [node03]
ok: [node02]
ok: [node04]
PLAY RECAP *********************************************************************************************************
node01 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node02 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node03 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node04 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
三、解密密码文件
[root@ansible-server ansible]# ansible-vault decrypt user_file
Vault password:
Decryption successful
[root@ansible-server ansible]# cat user_file
user_name: bob
四、加密密码文件
[root@ansible-server ansible]# ansible-vault encrypt user_file --vault-password-file passwdfile
Encryption successful
[root@ansible-server ansible]# cat user_file
$ANSIBLE_VAULT;1.1;AES256
61393833343530313039613366613035366462373230323165663163623434393162363764393163
3966303535336435323066373564303134396138663761340a336363313437303130303739383433
32616439366363613234643863363131313834353461623233333435613833646661396139663065
3134663162393231660a306265383932313636306565346266653936313338626664653436376437
3064
五、查看密码文件
[root@ansible-server ansible]# ansible-vault view user_file --vault-password-file passwdfile
user_name: bob
六、编辑密码文件
#更改文件内容
[root@ansible-server ansible]# ansible-vault edit user_file --vault-password-file passwdfile
user_name: tom
user_name: tom
#查看文件内容
[root@ansible-server ansible]# ansible-vault view user_file --vault-password-file passwdfile
user_name: tom
user_name: tom
七、更改密码文件的密码
[root@ansible-server ansible]# ansible-vault rekey user_file
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful
