How to run playbook api in Ansible v2 with vault

2019-07-21 01:07发布

站内问答 / 前沿技术
600 1 5

Here is what I have, I know this works without encryption and I can run

ansible-vault edit common.yml

with

ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt

set in the env.

from collections import namedtuple
from ansible.parsing.dataloader import DataLoader
from ansible.vars import VariableManager
from ansible.inventory import Inventory
from ansible.playbook import Playbook
from ansible.executor.playbook_executor import PlaybookExecutor

variable_manager = VariableManager()
loader = DataLoader()

inventory = Inventory(loader=loader, variable_manager=variable_manager,  host_list='playbooks/hosts')
playbook_path = 'playbooks/' + PROJECT + '.yml'

Options = namedtuple('Options', ['connection',  'forks', 'become', 'become_method', 'become_user', 'check', 'listhosts', 'listtasks', 'listtags', 'syntax', 'module_path', 'vault_password_file'])
options = Options(connection='ssh', forks=5, become=None, become_method=None, become_user=None, check=False, listhosts=False, listtasks=False, listtags=False, syntax=False, module_path="", vault_password_file=os.environ['ANSIBLE_VAULT_PASSWORD_FILE'])

variable_manager.extra_vars = {'CAP_VERSION': CAP_VERSION, 'cluster': PROJECT + '-' + ENVIRONMENT, 'environ': ENVIRONMENT, 'rpm': rpmSource, 'VRSN': ARTI_BRANCH }

passwords = {}

pbex = PlaybookExecutor(playbooks=[playbook_path], inventory=inventory, variable_manager=variable_manager, loader=loader, options=options, passwords=passwords)
results = pbex.run()

It fails to decrypt the common.yml

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/opt/ansible/ansible/lib/ansible/executor/playbook_executor.py", line 125, in run
    all_vars = self._variable_manager.get_vars(loader=self._loader, play=play)
  File "/opt/ansible/ansible/lib/ansible/vars/__init__.py", line 304, in get_vars
    data = preprocess_vars(loader.load_from_file(vars_file))
  File "/opt/ansible/ansible/lib/ansible/parsing/dataloader.py", line 119, in load_from_file
(file_data, show_content) = self._get_file_contents(file_name)
  File "/opt/ansible/ansible/lib/ansible/parsing/dataloader.py", line 178, in _get_file_contents
    data = self._vault.decrypt(data, filename=b_file_name)
  File "/opt/ansible/ansible/lib/ansible/parsing/vault/__init__.py", line 264, in decrypt
raise AnsibleError(msg)
ansible.errors.AnsibleError: Decryption failed on /ansible/playbooks/vars/common.yml

1条回答
闹够了就滚
2楼-- · 2019-07-21 01:28

In ansible 2.2.2 (not sure about other versions since the API can change frequently):

You can manually set the password in the python script like so:

loader = DataLoader()
loader.set_vault_password('mypass')

Or you could load the password from your vault password file:

import os
loader = DataLoader()
with open('{}/.vault_pass.txt'.format(os.path.expanduser('~')), 'r') as file:
    loader.set_vault_password(file.read().splitlines()[0])

You can skip importing os and just put in your absolute path to the .vault_pass.txt file.

If you are sure your ANSIBLE_VAULT_PASSWORD_FILE is set in env:

import os
loader = DataLoader()
with open(os.environ['ANSIBLE_VAULT_PASSWORD_FILE'], 'r') as file:
    loader.set_vault_password(file.read().splitlines()[0])
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)