patternModerate
What are best practices for using Ansible Vault on public CI's and Source Control Repositories like BitBucket?
Viewed 0 times
whatcontrolarevaultpublicsourcebitbucketlikerepositoriespractices
Problem
Introduction
On a private CI's and Source Control Repositories like Gitlab-ce it is possible to copy an ~/.vault_pass.txt to the server and let it use by the CI to decrypt files using Ansible.
Problem
On public CI's and Source Control Repositories like Bitbucket it is not possible to copy a ~/.vault_pass.txt to the CI server it self.
Discussion
In Bitbucket it is possible to define encrypted variables, but when this file is checked the only VAULT related variables are:
These variables are not an option to solve the issue as when the
When the same password is entered it can open the encrypted file, but the aim is to open the file without needing a file or entering a password in a prompt.
Another attempt to solve the issue was running
Another option is
On a private CI's and Source Control Repositories like Gitlab-ce it is possible to copy an ~/.vault_pass.txt to the server and let it use by the CI to decrypt files using Ansible.
Problem
On public CI's and Source Control Repositories like Bitbucket it is not possible to copy a ~/.vault_pass.txt to the CI server it self.
Discussion
In Bitbucket it is possible to define encrypted variables, but when this file is checked the only VAULT related variables are:
ANSIBLE_ASK_VAULT_PASS
ANSIBLE_VAULT_PASSWORD_FILE
These variables are not an option to solve the issue as when the
ANSIBLE_ASK_VAULT_PASS is set ansible-vault still prompts:user@host $
Vault password:When the same password is entered it can open the encrypted file, but the aim is to open the file without needing a file or entering a password in a prompt.
Another attempt to solve the issue was running
export ANSIBLE_ASK_VAULT_PASS=, but the interactive mode persists.Another option is
export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt, but then this file needs to be pushed to the repository, but source Control repositories should not contain passwords.Solution
--vault-password-file can instead point to an executable script that writes to stdout. This little-known feature should solve your problem.First, write a simple, executable script that prints a system environment variable, and check that into your source control. Then, use Bitbucket's encrypted variable feature to set that environment variable to your ansible-vault secret. Finally, execute like so:
ansible-playbook site.yml --vault-password-file ./mypass.sh.References:
-
http://docs.ansible.com/ansible/playbooks_vault.html#running-a-playbook-with-vault
-
https://groups.google.com/forum/#!topic/ansible-devel/1vFc3y6Ogto
Context
StackExchange DevOps Q#709, answer score: 13
Revisions (0)
No revisions yet.