On Tue, 28 May 2024 at 15:17, Dick Visser <dnmvis...@gmail.com> wrote:
> > This seems to work, and because ansible.cfg contains the right information > (vault_identity_list, vault_encrypt_identity) the encrypted content looks > good, when I'm debugging. > But the actual file contents are plain text again. It seems the copy > module decrypts the encrypted content again? How can I force the content to > NOT be decrypted? > To quickly answer my own question: there is a decrypt parameter: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-decrypt I had never noticed that 🤡 So the first task does work now. Still my other question remains: > Another approach is the vault filter, which seems to be a bit cleaner. I > thought this would do the trick: > > - name: save token > ansible.builtin.copy: > content: "{{ token | ansible.builtin.vault }}" > dest: /tmp/out2 > mode: 0600 > > But that didn't work, the filter insists on an actual secret value. I then > must do a separate lookup for the ansible vault password. But the vault > password file can also be an executable that sends the secret to stdout. I > don't want to have to implement that logic myself. > > Is there a way for the ansible.builtin.vault filter to use the > vault_identity_list and vault_encrypt_identity that are in ansible.cfg? > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLYAsqbxCdZf8CU51%3DjCw5MJT-rwg%3DYweT7R%2BU6n4kAMLg%40mail.gmail.com.
