On Tue, 28 May 2024 at 15:17, Dick Visser <[email protected]> wrote:
> > This seems to work, and because ansible.cfg contains the right information > (vault_identity_list, vault_encrypt_identity) the encrypted content looks > good, when I'm debugging. > But the actual file contents are plain text again. It seems the copy > module decrypts the encrypted content again? How can I force the content to > NOT be decrypted? > To quickly answer my own question: there is a decrypt parameter: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-decrypt I had never noticed that 🤡 So the first task does work now. Still my other question remains: > Another approach is the vault filter, which seems to be a bit cleaner. I > thought this would do the trick: > > - name: save token > ansible.builtin.copy: > content: "{{ token | ansible.builtin.vault }}" > dest: /tmp/out2 > mode: 0600 > > But that didn't work, the filter insists on an actual secret value. I then > must do a separate lookup for the ansible vault password. But the vault > password file can also be an executable that sends the secret to stdout. I > don't want to have to implement that logic myself. > > Is there a way for the ansible.builtin.vault filter to use the > vault_identity_list and vault_encrypt_identity that are in ansible.cfg? > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLYAsqbxCdZf8CU51%3DjCw5MJT-rwg%3DYweT7R%2BU6n4kAMLg%40mail.gmail.com.
