如何用拱形变量解密 'clear text YAML file'?
How to decrypt a 'clear text YAML file' with vaulted variable?
我正在使用 ansible 2.7.16。
ansible 文档说:
Single Encrypted Variable
As of version 2.3, Ansible can now use a vaulted variable that lives in an otherwise ‘clear text’ YAML file:
notsecret: myvalue
mysecret: !vault |
$ANSIBLE_VAULT;1.1;AES256
66386439653236336462626566653063336164663966303231363934653561363964363833313662
6431626536303530376336343832656537303632313433360a626438346336353331386135323734
62656361653630373231613662633962316233633936396165386439616533353965373339616234
3430613539666330390a313736323265656432366236633330313963326365653937323833366536
34623731376664623134383463316265643436343438623266623965636363326136
other_plain_text: othervalue
我有以下 .yml 文件:
user: dbuser
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
33633131346338633461336438656463643539396535656432306564636466353338373135346166
3838313236383739616239333265323131376231656633350a613333613239646263393330353930
31303935646330643831396130343031613063393839353433646338343034386432656435623934
6537356530643136310a373835323666393337346562613831613962323261346232323331343631
3838
我想要一个解密文件,然后我尝试了命令:
ansible-playbook --vault-password-file pass.txt config.yml
但是我得到了以下错误:
[WARNING]: Unable to parse /etc/ansible/hosts as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
ERROR! playbooks must be a list of plays
The error appears to have been in '/tmp/config.yml': line 1, column 1, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
user: dbuser
^ here
我怎样才能得到带有解密变量的 .yml 文件?
Q: "How could I get the .yml file decrypted ?"
A:只需像使用任何其他带有变量的文件一样使用该文件。例如
shell> ansible-vault encrypt_string 'password' --name 'pass'
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
65303631663061316538623639316439366538386430656239383735353237343762346364653230
3163643637333966643762383733633465353065333564310a303762343732613363313864646661
66633539363865386362613362663238353664356439386431303065646530666562326662356439
3032313564373364360a623830613763616635383633363631356535316162393138373336386534
3835
shell> cat conf1.yml
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
65303631663061316538623639316439366538386430656239383735353237343762346364653230
3163643637333966643762383733633465353065333564310a303762343732613363313864646661
66633539363865386362613362663238353664356439386431303065646530666562326662356439
3032313564373364360a623830613763616635383633363631356535316162393138373336386534
3835
shell> cat playbook.yml
- hosts: localhost
tasks:
- include_vars: conf1.yml
- debug:
var: pass
给予
shell> ansible-playbook playbook.yml
...
"pass": "password"
A:可选 decrypt 文件与 encrypted 相同。例如
shell> cat conf.yml
user: dbuser
shell> ansible-vault encrypt conf.yml
Encryption successful
shell> cat conf.yml
$ANSIBLE_VAULT;1.1;AES256
63313762343630623364653737643462373034653762616333663330613039623534633030666135
6633343263666465356537316430623834386130626231310a376639356234336664386239336461
31313935613565656639653532613639396536326662346234373563663065643564373939316539
3430643635623339390a393139326337306363623565356439626430643161356266323832313461
3633
shell> ansible-vault decrypt conf.yml
Decryption successful
shell> cat conf.yml
user: dbuser
答:在 playbook 中,只需像使用任何其他带有变量的文件一样使用它。例如剧本
shell> cat playbook.yml
- hosts: localhost
tasks:
- include_vars: conf.yml
- debug:
var: user
给予
shell> ansible-playbook playbook.yml
...
"user": "dbuser"
我不知道如何处理所有的拱形值,但是 yq 和管道用于解密单个值:
yq e ".pass" config.yml | ansible-vault decrypt
不确定是否有其他方法将加密变量放入单独的文件中,缩进并使用:
ansible-vault decrypt var_in_file.yml
此外,对单个变量使用 yq 的回答也可能有效:
yq -r ".variable" ansible_playbook.yml > var_in_file.txt
ansible-vault decrypt var_in_file.yml
但是在第二种情况下,我不确定是否保留了缩进。
我正在使用 ansible 2.7.16。
ansible 文档说:
Single Encrypted Variable
As of version 2.3, Ansible can now use a vaulted variable that lives in an otherwise ‘clear text’ YAML file:
notsecret: myvalue
mysecret: !vault |
$ANSIBLE_VAULT;1.1;AES256
66386439653236336462626566653063336164663966303231363934653561363964363833313662
6431626536303530376336343832656537303632313433360a626438346336353331386135323734
62656361653630373231613662633962316233633936396165386439616533353965373339616234
3430613539666330390a313736323265656432366236633330313963326365653937323833366536
34623731376664623134383463316265643436343438623266623965636363326136
other_plain_text: othervalue
我有以下 .yml 文件:
user: dbuser
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
33633131346338633461336438656463643539396535656432306564636466353338373135346166
3838313236383739616239333265323131376231656633350a613333613239646263393330353930
31303935646330643831396130343031613063393839353433646338343034386432656435623934
6537356530643136310a373835323666393337346562613831613962323261346232323331343631
3838
我想要一个解密文件,然后我尝试了命令:
ansible-playbook --vault-password-file pass.txt config.yml
但是我得到了以下错误:
[WARNING]: Unable to parse /etc/ansible/hosts as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
ERROR! playbooks must be a list of plays
The error appears to have been in '/tmp/config.yml': line 1, column 1, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
user: dbuser
^ here
我怎样才能得到带有解密变量的 .yml 文件?
Q: "How could I get the .yml file decrypted ?"
A:只需像使用任何其他带有变量的文件一样使用该文件。例如
shell> ansible-vault encrypt_string 'password' --name 'pass'
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
65303631663061316538623639316439366538386430656239383735353237343762346364653230
3163643637333966643762383733633465353065333564310a303762343732613363313864646661
66633539363865386362613362663238353664356439386431303065646530666562326662356439
3032313564373364360a623830613763616635383633363631356535316162393138373336386534
3835
shell> cat conf1.yml
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
65303631663061316538623639316439366538386430656239383735353237343762346364653230
3163643637333966643762383733633465353065333564310a303762343732613363313864646661
66633539363865386362613362663238353664356439386431303065646530666562326662356439
3032313564373364360a623830613763616635383633363631356535316162393138373336386534
3835
shell> cat playbook.yml
- hosts: localhost
tasks:
- include_vars: conf1.yml
- debug:
var: pass
给予
shell> ansible-playbook playbook.yml
...
"pass": "password"
A:可选 decrypt 文件与 encrypted 相同。例如
shell> cat conf.yml
user: dbuser
shell> ansible-vault encrypt conf.yml
Encryption successful
shell> cat conf.yml
$ANSIBLE_VAULT;1.1;AES256
63313762343630623364653737643462373034653762616333663330613039623534633030666135
6633343263666465356537316430623834386130626231310a376639356234336664386239336461
31313935613565656639653532613639396536326662346234373563663065643564373939316539
3430643635623339390a393139326337306363623565356439626430643161356266323832313461
3633
shell> ansible-vault decrypt conf.yml
Decryption successful
shell> cat conf.yml
user: dbuser
答:在 playbook 中,只需像使用任何其他带有变量的文件一样使用它。例如剧本
shell> cat playbook.yml
- hosts: localhost
tasks:
- include_vars: conf.yml
- debug:
var: user
给予
shell> ansible-playbook playbook.yml
...
"user": "dbuser"
我不知道如何处理所有的拱形值,但是 yq 和管道用于解密单个值:
yq e ".pass" config.yml | ansible-vault decrypt
不确定是否有其他方法将加密变量放入单独的文件中,缩进并使用:
ansible-vault decrypt var_in_file.yml
此外,对单个变量使用 yq 的回答也可能有效:
yq -r ".variable" ansible_playbook.yml > var_in_file.txt
ansible-vault decrypt var_in_file.yml
但是在第二种情况下,我不确定是否保留了缩进。