We can then plug this into our Ansible script to retrieve our password when we need it. Instead, Bitwarden has a command-line tool for interfacing with your vault. Where’s the bitwarden integration? #Setting up Bitwardenīecause Bitwarden does all its encryption client side (which is good), it doesn’t have an API for getting the details of specific items. We’ve gone from Ansible reading a text file with the secret baked in, to Ansible running a bash file with the secret baked in. Make it executable ( chmod +x), and our vault password will be used exactly as it did before (assuming our password was “hunter2”, which yours shouldn’t be). For example, if we change our vault password file to be: Whilst Ansible supports reading the vault password from a file, if said file is executable, Ansible will automatically run it, and use its output as the vault password. I’m already a Bitwarden user, and it already has my vault password in - can I use that? There are tools like Hashicorp Vault (no relation to Ansible vault), which are designed to store credentials, and provide them to tools as they need them, but that’s quite a large hammer for the problem. But that’s boring, not to mention the maintenance annoyance from rotating passwords and reinstalling my devices. gitignore-d, and have Ansible read from that. The simplest place to put the file is just in a text file, make sure it’s. At some point, the secret needs to be stored somewhere in plaintext. Getting started with ansible vault is out of scope for this post, but there are guides out there.Īnsible vault exists to enable storing secrets safely in a public repository, encrypted using a password. This is where Ansible vault comes in, which allows storing encrypted variables in the repository, which is decrypted at runtime using a password.
Personally, I make all of my “playbooks” public for all for all to see, but provisioning still requires some secrets. It’s versatile, it’s simple, it’s powerful, and has a number of great features. I’ve used Ansible for a number of years for the provisioning of both my servers and desktops.
0 kommentar(er)
