保险库是否可以有多个密码
Is it possible to have multi password with vault
我有一个与其他团队共享的部署项目。我用保险库加密了我的秘密。
我想用密码加密生产文件,用其他密码加密暂存文件,以避免其他团队访问生产机密。
可以吗?
我做过类似的事情。我的秘密:
cat /group_vars/all/vault_production.yml (encrypt with password A)
production_password: 'test1'
cat/group_vars/all/vault_staging.yml (encrypt with password B)
staging_password: 'test2'
我的环境:
cat hosts-production
[all:vars]
env_type=production
cat hosts-staging
[all:vars]
env_type=staging
我的脚本:
- copy:
content: |
env PASS={{hostvars[inventory_hostname][env_type + '_password']}}
...
然后我就这样启动了剧本。
# for production
ansible-playbook -i hosts-staging test.yml --vault-password-file .password_a
# for staging
ansible-playbook -i hosts-staging test.yml --vault-password-file .password_b
但这不起作用,因为有 2 个不同的密码(错误!解密失败)。
你知道怎么做吗 ?
谢谢。
BR,
埃里克
抱歉,今天 运行 只允许使用一个保管库密码。在您真正只需要一个或另一个的情况下,解决此问题的最佳方法是基于 var 动态加载一个 vaulted 文件;例如:
- hosts: localhost
vars_files:
- secretstuff-{{ env_type }}.yml
tasks:
...
或
- hosts: localhost
tasks:
- include_vars: secretstuff-{{ env_type }}.yml
...
取决于你是否需要变量在一场比赛或整个比赛中存活下来 运行(后者会将它们作为事实而不是比赛变量)。
Multiple vault passwords 自 Ansible 2.4 起支持:
ansible-playbook --vault-id dev@dev-password --vault-id prod@prompt site.yml
If multiple vault passwords are provided, by default Ansible will attempt to decrypt vault content by trying each vault secret in the order they were provided on the command line.
In the above case, the ‘dev’ password will be tried first, then the ‘prod’ password for cases where Ansible doesn’t know which vault id is used to encrypt something.
我有一个与其他团队共享的部署项目。我用保险库加密了我的秘密。 我想用密码加密生产文件,用其他密码加密暂存文件,以避免其他团队访问生产机密。
可以吗?
我做过类似的事情。我的秘密:
cat /group_vars/all/vault_production.yml (encrypt with password A)
production_password: 'test1'
cat/group_vars/all/vault_staging.yml (encrypt with password B)
staging_password: 'test2'
我的环境:
cat hosts-production
[all:vars]
env_type=production
cat hosts-staging
[all:vars]
env_type=staging
我的脚本:
- copy:
content: |
env PASS={{hostvars[inventory_hostname][env_type + '_password']}}
...
然后我就这样启动了剧本。
# for production
ansible-playbook -i hosts-staging test.yml --vault-password-file .password_a
# for staging
ansible-playbook -i hosts-staging test.yml --vault-password-file .password_b
但这不起作用,因为有 2 个不同的密码(错误!解密失败)。 你知道怎么做吗 ?
谢谢。
BR,
埃里克
抱歉,今天 运行 只允许使用一个保管库密码。在您真正只需要一个或另一个的情况下,解决此问题的最佳方法是基于 var 动态加载一个 vaulted 文件;例如:
- hosts: localhost
vars_files:
- secretstuff-{{ env_type }}.yml
tasks:
...
或
- hosts: localhost
tasks:
- include_vars: secretstuff-{{ env_type }}.yml
...
取决于你是否需要变量在一场比赛或整个比赛中存活下来 运行(后者会将它们作为事实而不是比赛变量)。
Multiple vault passwords 自 Ansible 2.4 起支持:
ansible-playbook --vault-id dev@dev-password --vault-id prod@prompt site.yml
If multiple vault passwords are provided, by default Ansible will attempt to decrypt vault content by trying each vault secret in the order they were provided on the command line.
In the above case, the ‘dev’ password will be tried first, then the ‘prod’ password for cases where Ansible doesn’t know which vault id is used to encrypt something.