未检测到group_vars中的可用保险库密码 [英] Ansible vault password in group_vars not detected

问题描述

我正在尝试使用ansible-vault保护单个Windows登录密码.我不想将hte密码以纯文本格式放置在我的windows.yml文件中(请参见下文)，因此我试图使用ansible-vault来保护/加密该密码.

I am trying to use ansible-vault to secure a single Windows login password. I do not want to place hte password as plain text in my windows.yml file (see below) and so I am trying to use ansible-vault to secure/encrypt this password.

我有这个目录结构:

myansiblehome
- windows_manage
  - group_vars
    - windows.yml
    - vault
  - hosts
  - win_playbook.yml

我的问题是关于文件vault.我正在尝试根据此将Windows登录密码作为加密变量放置在此处教程.变量名称为ansible_password，其想法是我应该在vault文件中包含一个哈希，而不是文本中的实际密码.

My question is about the file vault. I am trying to place a Windows login password here as an encrypted variable, as per this tutorial. The variable name is ansible_password and the idea is that I should have a hash in the vault file and not the actual password in text.

我的windows.yml文件如下所示(遵循指南此处):

My windows.yml file looks like this (following the guidance here):

ansible_user: administrator
ansible_password: "{{ vault_ansible_password }}"
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore

现在，要创建vault文件，这是我的步骤:

Now, to create the vault file, here are my steps:

cd windows_manage
ansible-vault create group_vars/vault

然后这是我放入vault文件的所有内容:

Then here are all the contents that I place into the vault file:

---
vault_ansible_password: mypassword

使用ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass运行此文件时，出现此错误(问题A):

When I run this file with ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass, I get this error (problem A):

The field 'password' has an invalid value, which includes an
undefined variable. The error was: 'vault_ansible_password' is 
undefined\nexception type: <...>\nexception: 'vault_ansible_password' is 
undefined.

因此，我尝试生成哈希而不是使用文本.我是这样做的:

So, I tried to generate a hash instead of using text. I did this:

mkpasswd --method=SHA-512
# copy the resulting hash to the clipboard
ansible-vault create group_vars/vault

我用此哈希替换了文本mypassword.我在vi编辑器中粘贴了哈希，并保存了vault文件.同样，我用ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass运行了剧本.这次我遇到了另一个错误(问题B):

I replaced the text mypassword by this hash. I pasted the hash in the vi editor and saved the vault file. Again, I ran the playbook with ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass. This time I got a different error (problem B):

fatal: [...]: UNREACHABLE! => ..."ssl: the specified
credentials were rejected by the server", "unreachable": true}

要克服这一点，我必须做两件事:

To overcome this, I have to do 2 things:

1. 要解决问题A ::在win_playbook.yml中，我需要添加vars_files: group_vars\vault，有点类似于此 StackOverflow帖子.
2. 要解决问题B ::我必须用文本(mypassword)中的实际密码替换vault中的哈希.

1. To resolve problem A.: in win_playbook.yml, I need to add vars_files: group_vars\vault, somewhat similar to this StackOverflow post.
2. To resolve problem B.: I have to replace the hash in vault with the actual password in text (mypassword).

问题:

1. 关于A:在我遇到的有关Ansible Vault的教程中，我没有看到vars_file: group_vars\vars应该出现在主剧本文件中的特殊原因(请参阅下面的链接1-4).在任何地方都没有提到这一点.我以为Ansible会自动检测group_vars目录中的变量???有必要为什么需要此行吗?

1. Regarding A: In the tutorials I have come across for ansible vault, I do not see a particular reason why vars_file: group_vars\vars should be present in the main playbook file (see links 1-4 below).i.e. there is no mention of this anywhere. I thought Ansible would auto-detect the variables in the group_vars directory??? Is there a reason why this line is required?

1. https://serversforhackers.com/c/ansible-using-vault

1. https://serversforhackers.com/c/ansible-using-vault
2. https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data-on-ubuntu-16-04
   • these guys use group_vars/vars (unencrypted variable file similar to my group_vars/vars) and group_vars/vault (encrypted variable file similar to my group_vars/vault) but they are using a role while I am not using an Ansible role

关于B:看起来像其他用户(请参阅

Regarding B: It looks like other users (see here are using hashes as their variables). Actually, even the Ansible docs suggest to use mkpasswd to generate passwords. Maybe I am misunderstanding something. Should we not use mkpasswd --method=SHA-512 to hash the password and then place the hash as the variable value? Is it not possible to use a hash as the value in key:value in the vault file?

推荐答案

group_vars依赖于文件/目录名称-它应对应于特定的组名称.

group_vars rely on file/directory name – it should correspond to specific group name.

在这种情况下，windows.yml应用于名为windows的组，但是vault本应应用于名为vault的组.

In you case windows.yml is applied to group named windows, but vault would have been applied to group named vault.

要解决您的问题，请创建名为windows的目录并将文件放置在其中(windows目录下的每个文件将按字母顺序应用于windows组中的主机):

To overcome your issue, create directory named windows and place your files there (every file under windows directory will be applied to hosts in windows group in alphabetical order):

myansiblehome
\ windows_manage
  \ group_vars
    \ windows
      \ windows.yml
      - vault

这篇关于未检测到group_vars中的可用保险库密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！