Ansible ad-hoc command with ansible vault

1
votes

I want to pass in a password to ansible.

The pass is encrypted with ansible vault and I have it in a file and I have the ansible vault pass available for decryption.

I need to use that decrypted password as ansible_password.

So far I have:

run.sh: sh script to run the ad_hoc command I need to run 

#!/bin/sh 
ansible all -i 'somehost,' -m win_ping --extra-vars "ansible_port=5986 \
 ansible_connection=winrm ansible_winrm_server_cert_validation=ignore validate_certs=false \
 ansible_user=somedomain\s-someserviceaccount ansible_password=___need_decrypted_password___"`

and

someenv_vault.yaml a file with a vault encrypted pass

$ANSIBLE_VAULT;1.1;AES256
0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef012345678
9abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef01
23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789a
bcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef01234567

and

~/.vault_pass

somevaultpassword

How do I get a decrypted vault password into the ansible ad hoc command?

1
ansibleansible-vault
Did you try the --vault-password-file option? - Jack

1 Answers

0
votes

I solved it with the following

run.sh

#!/bin/bash
THEPASS=$(ansible-vault decrypt <<JOYPEFF
\$ANSIBLE_VAULT;1.1;AES256
0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef012345678
9abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef01
23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789a
bcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef01234567
JOYPEFF
)
echo "usage ./run.sh <servername(s)> ..."
echo "e.g. ./run.sh server1,server2"
ansible all -i "$1," -m win_ping --extra-vars "ansible_winrm_transport=credssp ansible_port=5986 ansible_connection=winrm ansible_winrm_server_cert_validation=ignore validate_certs=false ansible_user=somedomain\s-someserviceaccount ansible_password=$THEPASS"