HiveBrain v1.2.0
Get Started
← Back to all entries
patternModerate

What are best practices for using Ansible Vault on public CI's and Source Control Repositories like BitBucket?

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
whatcontrolarevaultpublicsourcebitbucketlikerepositoriespractices

Problem

Introduction

On a private CI's and Source Control Repositories like Gitlab-ce it is possible to copy an ~/.vault_pass.txt to the server and let it use by the CI to decrypt files using Ansible.

Problem

On public CI's and Source Control Repositories like Bitbucket it is not possible to copy a ~/.vault_pass.txt to the CI server it self.

Discussion

In Bitbucket it is possible to define encrypted variables, but when this file is checked the only VAULT related variables are:

  • ANSIBLE_ASK_VAULT_PASS



  • ANSIBLE_VAULT_PASSWORD_FILE



These variables are not an option to solve the issue as when the ANSIBLE_ASK_VAULT_PASS is set ansible-vault still prompts:

user@host $
Vault password:


When the same password is entered it can open the encrypted file, but the aim is to open the file without needing a file or entering a password in a prompt.

Another attempt to solve the issue was running export ANSIBLE_ASK_VAULT_PASS=, but the interactive mode persists.

Another option is export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt, but then this file needs to be pushed to the repository, but source Control repositories should not contain passwords.

Solution

--vault-password-file can instead point to an executable script that writes to stdout. This little-known feature should solve your problem.

First, write a simple, executable script that prints a system environment variable, and check that into your source control. Then, use Bitbucket's encrypted variable feature to set that environment variable to your ansible-vault secret. Finally, execute like so:

ansible-playbook site.yml --vault-password-file ./mypass.sh.

References:

-
http://docs.ansible.com/ansible/playbooks_vault.html#running-a-playbook-with-vault

-
https://groups.google.com/forum/#!topic/ansible-devel/1vFc3y6Ogto

Context

StackExchange DevOps Q#709, answer score: 13

Revisions (0)

No revisions yet.