有两种更安全的方式来存储这类数据：
1.ansible的命令行工具ansible-vault可以加密和解密任何ansible使用的文件。
2.使用第三方的密钥管理服务来存储数据。

ansible-vault可以创建，编辑，加密，解密和查看文件。ansible vault可以加密任何ansible使用的文件，包含inventory变量，playbook中调用的变量文件，通过参数传递给playbook的变量文件，ansible-roles定义的变量文件。

ansible vault使用的是外部的Python工具实现的加密。文件使用AES256加密，并且你需要提供一个密码作为加密密钥。

#交互式
[[email protected] ansible]# ansible-vault create test.yml     #创建加密文件
New Vault password:
Confirm New Vault password:

[[email protected] ansible]# cat test.yml
$ANSIBLE_VAULT;1.1;AES256
35323132396639386132393132373663326664316466333863666136623661333863666365633938
3134356261396233323532633732386235343463656334300a383862323435613132366330666134
37613065613833633832633565653133643334313439373339663934653437383536653430656166
3435323165623962640a383933393738613330396334323438303965633666343531336236626431
3866

[[email protected] ansible]# ansible-vault view test.yml        #查看加密文件
Vault password:
---

[[email protected] ansible]# ansible-vault edit test.yml        #编辑加密文件
Vault password:

#非交互式
[[email protected] ansible]# echo redhat >> vault.pass
[[email protected] ansible]# ansible-vault create test2.yml --vault-password-file=vault.pass
[[email protected] ansible]# ansible-vault rekey test2.yml --vault-password-file=vault.pass
New Vault password:
Confirm New Vault password:
Rekey successful
#加密已存在的yaml文件
[[email protected] ansible]# ansible-vault encrypt del-local.yml
New Vault password:
Confirm New Vault password:
Encryption successful
[[email protected] ansible]# cat del-local.yml
$ANSIBLE_VAULT;1.1;AES256
32646664306332383564613237373231323262386630336330313839353164386462633831376362
6364306130356131643039366561663065633831343630340a623133383132313331323231373734
35643435633139626131663837626266353139303236396532343434386133303962666165663330
3637616461336364650a333938343539323063643364383334653361393661643233636133633363
65386537623536313466343263333034643636376562373562663535363537396430653062656137
62616465623633333036303831613238393939363563663137663830386461383865323965393732
66396233363833666561383235646236343930396533636131643035636437343766326633316336
32616230343030386462396537383730316566396566383461383766646561303936303939353838
33666634393363316538323137303464363265383562666161306461623664303332346662363439
34323165653336613736356635653964363638646364383365613230613735666663626134323939
63363635353634333963373363383264356633656637623131373865353164323433643630613935
33633039363461646331393032333535393339666562353231633266306463346166366233306162
36343035353935336431636434666139346531643230643933393634373562303161616562333335
36393636303763336463383630633937393332333630626666303239643534323162303765303033
61336366646566313331343533613566353261643638633235376635343362636632636132343233
35353131623238633933326330643263303032326233323362303533306262626135633832626264
32626431623139613938346633653834366438306663393635396635366330303130383565633966
30653364653936393163616130386638313166346265613834626538643961356139363563616666
38353931323465316666333434393964643265383239626632323863613165346539663538663238
34653930653263326134383731653337626437663736653762343731616333363238336435653933
66653664323937653666656337376439373731333839616663306335313832353266363631393231
3161636532643435623961376630386562613533363039376261
#解密一个已经加密的文件
[[email protected] ansible]# ansible-vault decrypt del-local.yml --output=del-local-1.yml
Vault password:
Decryption successful
[[email protected] ansible]# cat del-local-1.yml
- name: dele to local
  hosts: 172.16.216.181
  tasks:
    - command: ps
      register: a_ps
      changed_when: false

    - debug:
        msg: "{{ a_ps.stdout }}"

    - local_action: command ps
      #command: ps
      #delegate_to: localhost
      register: local_ps
      changed_when: false

    - debug:
        msg: "{{ local_ps.stdout }}"

[[email protected] ansible]# cat del-local.yml
$ANSIBLE_VAULT;1.1;AES256
32646664306332383564613237373231323262386630336330313839353164386462633831376362
6364306130356131643039366561663065633831343630340a623133383132313331323231373734
35643435633139626131663837626266353139303236396532343434386133303962666165663330
3637616461336364650a333938343539323063643364383334653361393661643233636133633363
65386537623536313466343263333034643636376562373562663535363537396430653062656137
62616465623633333036303831613238393939363563663137663830386461383865323965393732
66396233363833666561383235646236343930396533636131643035636437343766326633316336
32616230343030386462396537383730316566396566383461383766646561303936303939353838
33666634393363316538323137303464363265383562666161306461623664303332346662363439
34323165653336613736356635653964363638646364383365613230613735666663626134323939
63363635353634333963373363383264356633656637623131373865353164323433643630613935
33633039363461646331393032333535393339666562353231633266306463346166366233306162
36343035353935336431636434666139346531643230643933393634373562303161616562333335
36393636303763336463383630633937393332333630626666303239643534323162303765303033
61336366646566313331343533613566353261643638633235376635343362636632636132343233
35353131623238633933326330643263303032326233323362303533306262626135633832626264
32626431623139613938346633653834366438306663393635396635366330303130383565633966
30653364653936393163616130386638313166346265613834626538643961356139363563616666
38353931323465316666333434393964643265383239626632323863613165346539663538663238
34653930653263326134383731653337626437663736653762343731616333363238336435653933
66653664323937653666656337376439373731333839616663306335313832353266363631393231
3161636532643435623961376630386562613533363039376261

[[email protected] ansible]# cat j2.yml
- name: test j2
  hosts: all
  tasks:
    - name: first use template module
      template:
         src: motd.j2
         dest: /etc/motd
         owner: root
         group: root
         mode: 0644
[[email protected] ansible]# ansible-vault encrypt j2.yml
New Vault password:
Confirm New Vault password:
Encryption successful
[[email protected] ansible]# ansible-playbook j2.yml --ask-vault-pass
Vault password: 

PLAY [test j2] ******************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************
ok: [172.16.216.181]
ok: [172.16.216.182]

TASK [first use template module] ************************************************************************************************
changed: [172.16.216.182]
changed: [172.16.216.181]

PLAY RECAP **********************************************************************************************************************
172.16.216.181             : ok=2    changed=1    unreachable=0    failed=0
172.16.216.182             : ok=2    changed=1    unreachable=0    failed=0   

[[email protected] ansible]# ansible-playbook j2.yml --vault-password-file=vault.pass

PLAY [test j2] ******************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************
ok: [172.16.216.182]
ok: [172.16.216.181]

TASK [first use template module] ************************************************************************************************
ok: [172.16.216.182]
ok: [172.16.216.181]

PLAY RECAP **********************************************************************************************************************
172.16.216.181             : ok=2    changed=0    unreachable=0    failed=0
172.16.216.182             : ok=2    changed=0    unreachable=0    failed=0   

#将密码文件设置成环境变量
[[email protected] ansible]# vim /etc/profile
export ANSIBLE_VAULT_PASSWORD_FILE=/etc/ansible/vault.pass
[[email protected] ansible]# . /etc/profile
[[email protected] ansible]# ansible-playbook j2.yml

PLAY [test j2] ******************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************
ok: [172.16.216.182]
ok: [172.16.216.181]

TASK [first use template module] ************************************************************************************************
ok: [172.16.216.182]
ok: [172.16.216.181]

PLAY RECAP **********************************************************************************************************************
172.16.216.181             : ok=2    changed=0    unreachable=0    failed=0
172.16.216.182             : ok=2    changed=0    unreachable=0    failed=0
[[email protected] ~]# yum install python2-cryptography        #提高加密速度

实例

[[email protected] ~]# ansible-vault create secret.yml
newusers:
    - name: ansibleuser1
      pw: redhat
    - name: ansibleuser2
      pw: [email protected]

[[email protected] ansible]# cat create_users.yml
- name: create user accounts for all our servers
  hosts: client
  vars_files:
    - secret.yml
  tasks:
    - name: create users
      user:
        name: "{{ item.name }}"
        password: "{{ item.pw | password_hash(‘sha512‘) }}"
      with_items: "{{ newusers }}"
[[email protected] ansible]# ansible-playbook --syntax-check --ask-vault-pass create_users.yml
Vault password: 

playbook: create_users.yml
[[email protected] ansible]# echo redhat > vault.pass
[[email protected] ansible]# chmod 0600 vault.pass
[[email protected] ansible]# ansible-playbook --syntax-check --vault-password-file=vault.pass create_users.yml               

playbook: create_users.yml
[[email protected] ansible]# ansible-playbook --vault-password-file=vault.pass create_users.yml  

PLAY [create user accounts for all our servers] *********************************************************************************

TASK [Gathering Facts] **********************************************************************************************************
ok: [172.16.216.182]
ok: [172.16.216.181]

TASK [create users] *************************************************************************************************************
changed: [172.16.216.182] => (item={u‘name‘: u‘ansibleuser1‘, u‘pw‘: u‘redhat‘})
changed: [172.16.216.181] => (item={u‘name‘: u‘ansibleuser1‘, u‘pw‘: u‘redhat‘})
changed: [172.16.216.182] => (item={u‘name‘: u‘ansibleuser2‘, u‘pw‘: u‘[email protected]‘})
changed: [172.16.216.181] => (item={u‘name‘: u‘ansibleuser2‘, u‘pw‘: u‘[email protected]‘})

PLAY RECAP **********************************************************************************************************************
172.16.216.181             : ok=2    changed=1    unreachable=0    failed=0
172.16.216.182             : ok=2    changed=1    unreachable=0    failed=0   

[[email protected] ansible]# ssh [email protected]
[email protected]‘s password:
the hostname is ansible-client1.liuxplus.com
today‘s date is 2018-10-11
[[email protected] ~]$ exit
登出
Connection to 172.16.216.181 closed.
[[email protected] ansible]# ssh [email protected]
[email protected]‘s password:
the hostname is ansible-client2.linuxplust.com
today‘s date is 2018-10-11
[[email protected] ~]$ exit
登出
Connection to 172.16.216.182 closed.
[[email protected] ansible]# ssh [email protected]
[email protected]‘s password:
the hostname is ansible-client1.liuxplus.com
today‘s date is 2018-10-11
[[email protected] ~]$ exit
登出
Connection to 172.16.216.181 closed.
[[email protected] ansible]# ssh [email protected]
[email protected]‘s password:
the hostname is ansible-client2.linuxplust.com
today‘s date is 2018-10-11
[[email protected] ~]$ exit
登出
Connection to 172.16.216.182 closed.

原文地址：http://blog.51cto.com/stuart/2299307

时间： 2024-10-12 12:40:06

ansible 配置 vault 加密

实例

ansible 配置 vault 加密的相关文章

Ansible 加密模块 Vault

ansible配置安装详解

IIS中遇到无法预览的问题（HTTP 错误 401.3 - Unauthorized 由于 Web 服务器上此资源的访问控制列表(ACL)配置或加密设置，您无权查看此目录或页面。）

Ansible配置

生产环境中jenkins主机ansible配置如下

[转帖]nginx配置ssl加密（单/双向认证、部分https）

我用阿里云的虚拟云主机，也能配置https加密吗？

NGINX之——配置HTTPS加密反向代理訪问–自签CA

nginx配置ssl加密（单双向认证、部分https）