ansible-gpg-key icon indicating copy to clipboard operation
ansible-gpg-key copied to clipboard

Published 20 hours ago verified publisher icon netson

Ansible-vault compatibility?

Open lockejan opened this issue 3 years ago • 2 comments

Hi, thanks for the module. I'm currently using it to quickly reprovision my workstation. As for secrets I'm tending to make use of ansible-vault.

However, when using secrets with this module the playbook run breaks, because the content remains encrypted and can therefore not been read by gpg.

fatal: [localhost]: FAILED! => {
    "changed": false,
    "cmd": "/usr/local/bin/gpg --homedir /Users/foo/.gnupg --with-colons --import-options show-only --import /Users/foo/git/dotfiles/roles/gpg/files/my-private-keys.asc",
    "invocation": {
        "module_args": {
            "content": null,
            "file": "/Users/foo/git/dotfiles/roles/gpg/files/my-private-keys.asc",
            "fpr": null,
            "gpgbin": "/usr/local/bin/gpg",
            "homedir": "/Users/foo/.gnupg",
            "keyserver": "keyserver.ubuntu.com",
            "manage_trust": true,
            "state": "absent",
            "trust": "1"
        }
    },
    "msg": "gpg: no valid OpenPGP data found.",
    "rc": 2,
    "stderr": "gpg: no valid OpenPGP data found.\n",
    "stderr_lines": [
        "gpg: no valid OpenPGP data found."
    ],
    "stdout": "",
    "stdout_lines": []
}

I have to manually decrypt the files before running my playbooks. Is it possible to integrate the decryption process during the playbook run as for other ansible modules (e.g. copy)? Should it habe been worked in the first place?

lockejan avatar Jul 17 '21 13:07 lockejan

Okay, my current workaround is to use the copy module to decrypt the file to a temporary location and then reference this file inside the import task.

Feel free to close this issue, even though I'd still fancy the idea of not working around as described.

lockejan avatar Jul 17 '21 17:07 lockejan

Another workaround I've found that avoids the temporary file is to use the file lookup plugin as it seems to support Ansible Vault and will decrypt the file at playbook-run-time using Ansible-vault and return the decrypted contents. To be clear, would need to use the content option on the module instead of the file with this approach.

content: "{{ lookup('file', 'files/my-ansible-vault-encrypted-file') }}"

EDIT: Also just found that Ansible 2.10 added an unvault lookup plugin as well, which is more explicit to the intended use than file lookup itself

r4j4h avatar Feb 26 '22 21:02 r4j4h

Don't use ansible vault myself (I use HashiCorp vault with custom middleware), so no plans on supporting that. Would be open to PR though if anyone cares enough to make it work out of the box. But maybe it is better to use the suggested unvault() lookup plugin instead?

netson avatar Oct 15 '23 17:10 netson