building5/ansible-vault-tools building5/ansible-vault-tools

  • Stars
    star
    109
  • Rank 319,077 (Top 7 %)
  • Language
    Shell
  • License
    ISC License
  • Created almost 9 years ago
  • Updated almost 6 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
building5/ansible-vault-tools
github

building5

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Tools for working with ansible-vault

Ansible vault tools

Ansible vault is a great tool for managing secrets for Ansible playbooks, but dealing with the vault can be a pain. This repo contains instructions and helper scripts to reduce that pain.

Installation

This project provides some helper scripts for dealing with ansible vault files. These scripts can be installed by running make install, which may or may not require root permissions.

There is also a make uninstall, in case you change your mind.

Vault Filename Conventions

In order for git to know when to use the ansible vault tools for decrypting files, it needs to know when it's dealing with a vault file. To do this, you will need to have a consistent naming convention for your vault files. I recommend either vault.yml (if you like having a single vault) or *.vault.yml (if you like having lots of vaults).

Git configuration

The pattern for your vault files can be configured in one of three places for git.

  • ./.gitattributes - per project, checked into git
  • ./.git/info/attributes - per project, not checked in
  • $HOME/.config/git/attributes - per user config

Wherever you chose to put it, the configuration is the same:

# gitattributes
vault.yml diff=ansible-vault merge=ansible-vault
*.vault.yml diff=ansible-vault merge=ansible-vault

git diff

Git diff can be configured to convert binary files into text, allowing for an effective binary diff. Some other projects use this to do some pretty cool stuff.

The configuration for the ansible-vault diff handler goes into $HOME/.gitconfig.

# gitconfig
[diff "ansible-vault"]
	textconv = ansible-vault view
	# Do not cache the vault contents
	cachetextconv = false

git grep

With the textconv settings above, this also allows you to grep into vaulted files. To do this, you need to pass the --textconv option to git grep.

$ git grep --textconv super_secret
group_vars/all/vault.yml:super_secret: tell no one

git merge

You can similarly configure a merge driver for use with ansible vault files. The provided merge driver uses the underlying git merge-files command to merge the unencrypted contents of the vault files being merged. If there are any merge conflicts, $EDITOR is opened allowing you to resolve the conflict before the merged file is re-encrypted.

# gitconfig
[merge "ansible-vault"]
	name = ansible-vault merge driver
	driver = /usr/local/bin/ansible-vault-merge -- %O %A %B %P

ansible vault password caching

Ansible vault allows you to configure the location of the vault password file, which can go into any of Ansible's configuration files.

  • ./ansible.cfg - per project configuration
  • $HOME/.ansible.cfg - per user configuration
  • /etc/ansible/ansible.cfg - per system configuration
# ansible.cfg
[defaults]
vault_password_file = /path/to/vault_password_file

While normally the vault password file is a file that contains the plain text vault password (which seems like a bad idea), this password file could be an executable script, which can use a tool with good password caching (like gpg) to decrypt the password file. Please look up the gpg-agent for instructions on how to use it effectively.

The helper gpg-vault-password-file can be used to create a script that can be used to store the vault password in a GPG encrypted file. This will create an executable script in the location given, and the vault password encrypted with the default self key.

Used in this manner, ansible-vault will prompt for your GPG password when used, which will be cached for some period of time.

$ gpg-vault-password-file /path/to/vault_password_file

License

ISC License

More Repositories

1

sails-db-migrate

db-migrate integration for sails.js
JavaScript
61
star
2

promise-timeout

Simple timeouts for promises
JavaScript
60
star
3

simply-ansible

Cookiecutter template for new Ansible projects
Python
12
star
4

appdirsjs

JavaScript library for determining appropriate platform-specific directories (port of Python appdirs)
JavaScript
10
star
5

you-broke-semver-now-what

Step by step process to help you figure out what to do when you break semantic versioning
Makefile
9
star
6

node-promirepl

A promise infused Node.js REPL
JavaScript
6
star
7

ansible-yaml-output

Ansible plugin to make the output more readable
Python
6
star
8

ses-relay

A Docker container designed to work well as an SMTP relay for SES
Shell
5
star
9

sails-hook-bunyan

Bunyan integration for Sails
JavaScript
5
star
10

sails-bunyan

Replacing the sails logger with a bunyan logger
JavaScript
4
star
11

cls-mysql

Continuation local storage shim for MySQL
JavaScript
4
star
12

name-all-the-things

Node require hook to put names on anonymous functions
JavaScript
4
star
13

utf8mb4-converter

Helper script to convert MySQL databases to utf8mb4
JavaScript
3
star
14

cls-es6-promise

Continuation local storage shim for es6-promise
JavaScript
3
star
15

zoql

Command line tool to execute Zuora Object Query Language
JavaScript
3
star
16

ec2-router

Utility for setting up static routes to EC2 public addresses
JavaScript
3
star
17

cross-check

Multi-project, project level linting
JavaScript
2
star
18

parfaitjs

A sweet multi-layered configuration framework
CoffeeScript
2
star
19

docker-genisoimage

Docker container for genisoimage
Makefile
1
star
20

gelfcap

Packet capture for sniffing gelf packets
JavaScript
1
star