I'd definitely resent any inference of evil-doing from "The Ansible Team" here :)
While I'm open to pull requests to enhancements within reason, we've had the discussion a few times already that this could be served better by a "password2" style plugin that used the VaultLib classes. --Michael On Fri, Mar 21, 2014 at 10:41 AM, Petros Moisiadis <[email protected]>wrote: > On 03/21/14 13:54, [email protected] wrote: > > Hi all. > > (reposting because of a silly copy/paste error - sorry about that.) > > Vault was a great addition to Ansible. > Some complained about the lack of leaf encryption. > > I just published a blog post about a few of our practices involving > Ansible, > and here is an excerpt about how we easily work around this limitation. > Hope it helps some of you. > (Blog post is here: > http://reinteractive.net/posts/167-ansible-real-life-good-practices) > > Excerpt: > > *Vault Pseudo leaf encryption* > > Very recently, with version 1.5, Ansible introduced Ansible Vault, a way > to encrypt data in the playbook, and decrypt it at run time. This feature > was highly requested, and gives Ansible its true place among platform > management tools. > > The thing is: what we like about Ansible is the readability, and > encryption has a way of making things, well, less readable... > ansible-vault command will encrypt or decrypt the whole var file, you can > not encrypt just the value of a variable. The solution is simple enough: > create a second var file, just for the sensitive data. But this raises > another issue: your variables are now spread over multiple files, and some > of them encrypted. This can get messy. For instance, if you define a > dictionary of variables and only one of them is sensitive, you have to > encrypt the whole dictionary. > > Leaf encryption was (is) a feature request, but in the meantime, there is > an elegant way of keeping it both readable and secure: nested variables. > > For every sensitive variable, you create a prefixed double that goes in an > encrypted file. > > # var_filedb_password: {{ vaulted_db_passord }}# and for a dctionnaryaws: > - "access_key_id='abcdefgh'" > - "secret_access_key='{{ vaulted_aws_secret_access_key }}'" > > > # vault_filevaulted_db_passord: a_super_secretvaulted_aws_secret_access_key: > the_aws_secret > > That way, you can manipulate all your vars like before, knowing the > vaulted version stays encrypted. You can even solve the problem of having > someone responsible for the encrypted file and the rest of the team never > seeing its content but still being able to manage var files as they need. > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/2a8a43b6-b358-46a4-9d38-7874efc2fa8c%40googlegroups.com<https://groups.google.com/d/msgid/ansible-project/2a8a43b6-b358-46a4-9d38-7874efc2fa8c%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > > Well, it will work, but this is still a workaround. You still have to > maintain two files and edit them both for a single addition. Also, it > becomes more complicated if you have repeated variable names and values. > For example, how much complexity you have to introduce in your separate > vault file in order to handle a simple variable file like the following ? > > system_users: > - username: john > password: secret_password_1 > - username: alice > password: secret_password_2 > > db_users: > - username: john > password: another_secret_password_1 > - username: alice > password: another_secret_password_2 > > > Unfortunately, the Ansible team has not (yet) given an answer on whether a > command-line option to enable a simple syntax for leaf-node encryption mode > would be considered for ansible-vault (keeping the current whole-file > encryption mode as the default mode). There was a feature request for this > mode and discussion by many people _before_ vault's release and it seems it > is still desired by people _after_ vault's release. > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/532C4F9E.6030303%40yahoo.gr<https://groups.google.com/d/msgid/ansible-project/532C4F9E.6030303%40yahoo.gr?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEVJ8QONjy_P7ZeMAJWiZAa-RFR7HSBDRJoVRwmX4t5H%3DKZ86g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
