How to decrypt string with ansible-vault 2.3.0
Solution 1:
You can also do with plain ansible
command for respective host/group/inventory combination, e.g.:
$ ansible my_server -m debug -a 'var=my_secret'
my_server | SUCCESS => {
"my_secret": "373861663362363036363361663037373661353137303762"
}
Solution 2:
You can pipe the input then tell ansible-vault
to output to stderr
and then redirect the stdout
to /dev/null
since the tool prints Decryption successful
.
The /dev/stdin/
part may not be needed in new Ansible versions.
Something like:
echo 'YOUR_SECRET_VALUE' | ansible-vault decrypt /dev/stdin --output=/dev/stderr > /dev/null
Here is a example:
echo '$ANSIBLE_VAULT;1.1;AES256
30636561663762383436386639353737363431353033326634623639666132623738643764366530
6332363635613832396361333634303135663735356134350a383265333537383739353864663136
30393363653361373738656361613435626237643633383261663138653466393332333036353737
3335396631613239380a616531626235346361333737353831376633633264326566623339663463
6235' | ansible-vault decrypt /dev/stdin --output=/dev/stderr > /dev/null
I hope they implement a simpler way of doing this.
Edit: Environment Variables as Input:
To have a similar behaviour with multi-line environment variables on bash
use printf
instead of echo
Example (password: 123):
export chiphertext='$ANSIBLE_VAULT;1.1;AES256
65333363656231663530393762613031336662613262326666386233643763636339366235626334
3236636366366131383962323463633861653061346538360a386566363337383133613761313566
31623761656437393862643936373564313565663633636366396231653131386364336534626338
3430343561626237660a333562616537623035396539343634656439356439616439376630396438
3730'
printf "%s\n" $chiphertext | ansible-vault decrypt /dev/stdin --output=/dev/stderr > /dev/null
Solution 3:
since whole vault files do not play well with git histories, using vault strings within the variable files is the way to go, it also makes grepping out variables by name much clearer.
Here is a simple worked example:
I want to put fredsSecretString: value into vars.yml , (its value is fastfredfedfourfrankfurters but hush, don't let people know !!)
$ ansible-vault encrypt_string 'fastfredfedfourfrankfurters' -n fredsSecretString >> vars.yml
New Vault password: fred
Confirm New Vault password: fred
$ cat vars.yml
fredsSecretString: !vault |
$ANSIBLE_VAULT;1.1;AES256
36643662303931336362356361373334663632343139383832626130636237333134373034326565
3736626632306265393565653338356138626433333339310a323832663233316666353764373733
30613239313731653932323536303537623362653464376365383963373366336335656635666637
3238313530643164320a336337303734303930303163326235623834383337343363326461653162
33353861663464313866353330376566346636303334353732383564633263373862
To decrypt the value feed the encrypted string back into ansible-vault as follows:
$ echo '$ANSIBLE_VAULT;1.1;AES256
36643662303931336362356361373334663632343139383832626130636237333134373034326565
3736626632306265393565653338356138626433333339310a323832663233316666353764373733
30613239313731653932323536303537623362653464376365383963373366336335656635666637
3238313530643164320a336337303734303930303163326235623834383337343363326461653162
33353861663464313866353330376566346636303334353732383564633263373862' |
ansible-vault decrypt && echo
Vault password: fred
Decryption successful
fastfredfedfourfrankfurters
$
Solution 4:
Did you try setting the encrypted string as a variable and then using -debug
to get its decrypted output?
i.e.
Define your encrypted string as a variable test
in your playbook and then do:
-debug: msg="My Secret value is {{test | replace('\n', '')}}"
in your playbook and then run the playbook:
$ ansible-playbook -i localhost YourPlaybook.yml --vault-password-file path/to/your/secret_key_file
Solution 5:
yq extracts the encrypted var value, then will create a temporary file and use it with ansible-vault
:
cat ansible_file.yml | yq -r ".variable_name" > tmp_file.txt
# you can also use 'ansible-vault decrypt'
ansible-vault view --ask-vault-pass tmp_file.txt