Hello, I've found a post <https://newbit.ch/ansible-vault-encrypted-variables/> explaining a way to encrypt using VaultLib from ansible.parsing.vault, using encrypt method and then recreate the flag format of encrypt_string using pyyaml module.
On Thursday, September 1, 2022 at 12:57:10 PM UTC+2 uto...@gmail.com wrote: > Sounds like we're both addressing the same issue. I've included below our > internal docs for using this filter. It addresses vim, but any editor > that can pass a subset of lines through a filter should be able to use it. > > It's simpler to write your YAML variable definitions and values as you > normally do, then pass the "sensitive" ones through a filter that takes > care of the fiddly details. Let's start with the same YAML data as in the > example above, and use vim on [*redacted*] to edit it. Again, you should > have your ANSIBLE_VAULT_IDENTITY and ANSIBLE_VAULT_IDENTITY_LIST > environment variables set. Here's the procedure: > > - > - > - Load the vars file in vim. > - Go down to the datum that you want to vault. > - Activate "visual selection" with "*shift-v*". Your current > line should highlight. > - If applicable, cursor down until all the lines containing the > desired data are highlighted. (Some data span multiple lines!) > - Hit "*:*". You should be presented with a prompt like ":'<,'>" > which represents the range of selected lines that you want to > operate on. > - Type "*!av-filter*" and hit enter. This will pipe the selected > lines through the "av-filter" command, replacing the original > line with the av-filter's output. (Use "*!av-filter xxxx*" if > you don't have your ANSIBLE_VAULT_IDENTITY environment variable > set, but you do have an "xxxx" vault identity.) > - Wait for it; ansible-vault is no speed daemon. > > Your selected data should be replaced with the ansible-vault encrypted > version of the same string, i.e. the blue bits from the section above. If > things messed up and you got error messages, *read them*, then hit "u" to > invoke vim's "undo" command. That should put things as they were, and you > can go and think about just what you have done. > > The same procedure will *unvault* the value if it's already vaulted. That > "!vault" is a YAML tag that indicates the data type; av-filter always > encrypts strings and decrypts "!vault", so you never have to tell it > whether to encrypt or decrypt. On the back-end of course it's invoking > ansible-vault for you and handling the data transfers in and out. > > Also, *av-filter* is in the /[*redacted*]/bin directory. If that's not > in your path, you've got more work to do. It's a short python script which > you can copy to your workstation if you like. (And you get a free trip to > pip hell out of it.) > > > On 9/1/22 5:32 AM, Jonathan wrote: > > It's to be used outside of ansible, to help change vaulted vars more > easily for users. > I'll look at your snippet and see if I can make it work for me, I was > trying to avoid running `ansible-vault` using pure python. > On Wednesday, August 31, 2022 at 7:55:07 PM UTC+2 uto...@gmail.com wrote: > >> It isn't clear whether you're trying to do this inside or outside of >> Ansible. If outside, you can have your python script call ansible-vault and >> pass the data you want to encrypt or decrypt via stdin/stdout. I got this >> working in >> >> https://gist.github.com/utoddl/66baa4154618ba1fc8ec8127483e7e89 >> >> which is a filter I can pass a subset of yaml data through from $EDITOR, >> and it will decrypt encrypted values, or decrypt encrypted values. It >> preserves the original yaml's indentation, so greatly simplifies >> maintenance of secrets in otherwise readable vars files. (ToDo: It doesn't >> preserve comments.) You should be able to adapt it for your purposes. >> Here's the blurb from the top of that gist: >> >> """Filter for "ansible-vault"ing YAML Data Values >> >> This script allows an ansible user to pass lines of yaml data >> through it to get string values vaulted and/or already-vaulted values >> unvaulted, thus simplifying the maintenance of vaulted strings in >> Ansible vars files and eliminating the need to vault entire files. >> >> It takes a single optional positional argument, which is the >> Ansible vault identity to use for encryption. This defaults to the >> value of the ANSIBLE_VAULT_IDENTITY environment variable. If any >> encryption is performed, either the environment variable or the >> positional parameter must be provided. (Values from any ansible.cfg >> files are insufficient.) """ >> > > -- You received this message because you are subscribed to the Google Groups "Ansible Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-devel/a0f40a16-4b2e-4008-b83a-e7b925a28278n%40googlegroups.com.
