未检测到group_vars中的可用保险库密码 [英] Ansible vault password in group_vars not detected
问题描述
我正在尝试使用ansible-vault保护单个Windows登录密码.我不想将hte密码以纯文本格式放置在我的windows.yml文件中(请参见下文),因此我试图使用ansible-vault
来保护/加密该密码.
I am trying to use ansible-vault to secure a single Windows login password. I do not want to place hte password as plain text in my windows.yml file (see below) and so I am trying to use ansible-vault
to secure/encrypt this password.
我有这个目录结构:
myansiblehome
- windows_manage
- group_vars
- windows.yml
- vault
- hosts
- win_playbook.yml
我的问题是关于文件vault
.我正在尝试根据此将Windows登录密码作为加密变量放置在此处教程.变量名称为ansible_password
,其想法是我应该在vault
文件中包含一个哈希,而不是文本中的实际密码.
My question is about the file vault
. I am trying to place a Windows login password here as an encrypted variable, as per this tutorial. The variable name is ansible_password
and the idea is that I should have a hash in the vault
file and not the actual password in text.
我的windows.yml
文件如下所示(遵循指南此处):
My windows.yml
file looks like this (following the guidance here):
ansible_user: administrator
ansible_password: "{{ vault_ansible_password }}"
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
现在,要创建vault
文件,这是我的步骤:
Now, to create the vault
file, here are my steps:
cd windows_manage
ansible-vault create group_vars/vault
然后这是我放入vault
文件的所有内容:
Then here are all the contents that I place into the vault
file:
---
vault_ansible_password: mypassword
使用ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass
运行此文件时,出现此错误(问题A):
When I run this file with ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass
, I get this error (problem A):
The field 'password' has an invalid value, which includes an
undefined variable. The error was: 'vault_ansible_password' is
undefined\nexception type: <...>\nexception: 'vault_ansible_password' is
undefined.
因此,我尝试生成哈希而不是使用文本.我是这样做的:
So, I tried to generate a hash instead of using text. I did this:
mkpasswd --method=SHA-512
# copy the resulting hash to the clipboard
ansible-vault create group_vars/vault
我用此哈希替换了文本mypassword.我在vi
编辑器中粘贴了哈希,并保存了vault
文件.同样,我用ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass
运行了剧本.这次我遇到了另一个错误(问题B):
I replaced the text mypassword by this hash. I pasted the hash in the vi
editor and saved the vault
file. Again, I ran the playbook with ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass
. This time I got a different error (problem B):
fatal: [...]: UNREACHABLE! => ..."ssl: the specified
credentials were rejected by the server", "unreachable": true}
要克服这一点,我必须做两件事:
To overcome this, I have to do 2 things:
- 要解决问题A ::在
win_playbook.yml
中,我需要添加vars_files: group_vars\vault
,有点类似于此 StackOverflow帖子. - 要解决问题B ::我必须用文本(mypassword)中的实际密码替换
vault
中的哈希.
- To resolve problem A.: in
win_playbook.yml
, I need to addvars_files: group_vars\vault
, somewhat similar to this StackOverflow post. - To resolve problem B.: I have to replace the hash in
vault
with the actual password in text (mypassword).
问题:
-
关于A:在我遇到的有关Ansible Vault的教程中,我没有看到
vars_file: group_vars\vars
应该出现在主剧本文件中的特殊原因(请参阅下面的链接1-4).在任何地方都没有提到这一点.我以为Ansible会自动检测group_vars
目录中的变量???有必要为什么需要此行吗?
Regarding A: In the tutorials I have come across for ansible vault, I do not see a particular reason why
vars_file: group_vars\vars
should be present in the main playbook file (see links 1-4 below).i.e. there is no mention of this anywhere. I thought Ansible would auto-detect the variables in thegroup_vars
directory??? Is there a reason why this line is required?
- https://serversforhackers.com/c/ansible-using-vault
- https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data-on-ubuntu-16-04
- these guys use
group_vars/vars
(unencrypted variable file similar to mygroup_vars/vars
) andgroup_vars/vault
(encrypted variable file similar to mygroup_vars/vault
) but they are using a role while I am not using an Ansible role
- these guys use
Regarding B: It looks like other users (see here are using hashes as their variables). Actually, even the Ansible docs suggest to use mkpasswd
to generate passwords. Maybe I am misunderstanding something. Should we not use mkpasswd --method=SHA-512
to hash the password and then place the hash as the variable value? Is it not possible to use a hash as the value in key:value in the vault
file?
推荐答案
group_vars
依赖于文件/目录名称-它应对应于特定的组名称.
group_vars
rely on file/directory name – it should correspond to specific group name.
在这种情况下,windows.yml
应用于名为windows
的组,但是vault
本应应用于名为vault
的组.
In you case windows.yml
is applied to group named windows
, but vault
would have been applied to group named vault
.
要解决您的问题,请创建名为windows
的目录并将文件放置在其中(windows
目录下的每个文件将按字母顺序应用于windows
组中的主机):
To overcome your issue, create directory named windows
and place your files there (every file under windows
directory will be applied to hosts in windows
group in alphabetical order):
myansiblehome
\ windows_manage
\ group_vars
\ windows
\ windows.yml
- vault
这篇关于未检测到group_vars中的可用保险库密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!