Secret Management in Ansible
Imagine a situation where we are automating our DB installation and configuration. Likewise, we have DB tokens, secret passphrases and Passwords that we will be using in our Playbooks and these playbooks must be kept somewhere centralized i.e. Gitlab, Bitbucket etc. My requirement is not to expose this sensitive information. To encrypt our data we use Ansible-Vault.
Suppose, I create a file mysecrets.yaml normally.
---
DBUSER: "admin"
DBPASS: "admin"
Whenever I see this code I will be able to see it without encryption.
But If I want to encrypt it then I have to use the below command and it will ask for your password and will redirect to the editor for the new password.
ansible-vault create yourfilename.yaml
Now if I want to see my file it'll be encrypted under AES
Now, If I want to see this file without encryption then I have to use the below command after that I need to give the password.
ansible-vault view yourfilename.yaml
Using Encrypted YAML in the main Playbook.
Suppose we are required to use the mysecrets.yaml in the main playbook then we should write the YAML as below.
---
- name: workign with vault
hosts: Node-1
vars_files:
- mysecrets.yaml
tasks:
- name: Retrive vault secrets
command: echo "DB USER is {{ DBUSER }} , DB PASS is {{ DBPASS }}"
When we try to run the vault.yaml file we get the below error i.e. We did not pass the Encrypted Password.
How, we will send the password in Ansible-Playbook while executing it?
We will use the below command to find out if we know the password or not
ansible-playbook -h|grep -i pass
Here, we will use --ask-vault-pass to use the password for the encrypted YAML.
So my command will become
ansible-playbook playbookname.yaml --ask-vault-pass -v
The output will be as follows:-
Now, To skip the password for End to End Automation we can use a file and put the file location as well to pick the password. e.g.
Now, we have to use the below command
ansible-playbook playbookname.yaml --vault-password-file=./filename -v
Problem Statement:
Suppose I have 100 Nodes with me and I ran the playbook and it ran on 75 Nodes and failed on 25 Nodes. How do I restrict my second run on the failed nodes i.e. only 25 Nodes?
Firstly, I'll make a file named failednodes. Where I can put all the servers/Node names where I want to run the file.
We can use the below command
ansible-playbook -i filenameofyourfailedservers yourfilename.yaml --vault-password-file=./filename -v
Observe the Output
In Case you want to give the failed nodes/servers on the runtime you can give the below command
ansible-playbook yourfilename.yaml -l Node-1
ansible-playbook yourfilename.yaml -l Node-2
ansible-playbook yourfilename.yaml -l Node-1,Node-2
ansible-playbook yourfilename.yaml -l dev
ansible-playbook yourfilename.yaml -l prod
How to Find the number of tasks in a playbook.
We can use the below command
ansible-playbook myfilename.yaml --list-tasks
Problem Statement 1:
I want to start the execution from the second task i.e. working with with_sequence then how we will do it?
Solution:
We will use the below command
ansible-playbook--start-at-task "working with with_sequence"yourfilename.yaml -v
Problem Statement 2:
I have a change of mind and want to execute a particular task (say task2) only then how I'll do it?
Solution:
We'll use the concept of tags in our playbook. Firstly, we will give all the tags in our playbook.
Secondly, we will run the Ansible playbook with tags as following
ansible-playbook filename.yaml -t tagsname
Suppose I want to give 2 tags then we can use 2 tags as below.
Problem Statement 3:
Let's say I don't want to run my code. I just want to see how my playlist will look if I'll be executing my playbook i.e. for verification purposes.
Solution :
We can use the below command to see if our playbook is running successfully or not.
ansible-playbook yourplaybookname.yaml -C
