Ansible 实战案例--Ansible-vault 管理机密

科技2022-08-17 135

Ansible-vault管理机密

前言一、获取Ansible-vault 命令帮助二、创建加密文件三、解密密码文件四、加密密码文件五、查看密码文件六、编辑密码文件七、更改密码文件的密码

前言

管理加密/解密yml(palybook)文件工具有时编写的playbook文件中会存在重要信息,考虑到安全,可以使用此工具进行加密

提示：本篇文章所使用的环境为centos-8.2基于ansible-2.8.0 搭建具体环境搭建，请参考：ansible-2.8.0 搭建链接

一、获取Ansible-vault 命令帮助

Ansible-vault 命令帮助 [root@ansible-server ansible]# ansible-vault --help usage: ansible-vault [-h] [--version] [-v] {create,decrypt,edit,view,encrypt,encrypt_string,rekey} ... encryption/decryption utility for Ansible data files positional arguments: {create,decrypt,edit,view,encrypt,encrypt_string,rekey} create Create new vault encrypted file decrypt Decrypt vault encrypted file edit Edit vault encrypted file view View vault encrypted file encrypt Encrypt YAML file encrypt_string Encrypt a string rekey Re-key a vault encrypted file optional arguments: --version show program's version number, config file location, configured module search path, module location, executable location and exit -h, --help show this help message and exit -v, --verbose verbose mode (-vvv for more, -vvvv to enable connection debugging) See 'ansible-vault <command> --help' for more information on a specific command. create 功能的命令帮助 [root@ansible-server ansible]# ansible-vault create --help usage: ansible-vault create [-h] [--encrypt-vault-id ENCRYPT_VAULT_ID] [--vault-id VAULT_IDS] [--ask-vault-pass | --vault-password-file VAULT_PASSWORD_FILES] [-v] [file_name [file_name ...]] positional arguments: file_name Filename optional arguments: -h, --help show this help message and exit --encrypt-vault-id ENCRYPT_VAULT_ID the vault id used to encrypt (required if more than vault-id is provided) --vault-id VAULT_IDS the vault identity to use --ask-vault-pass ask for vault password --vault-password-file VAULT_PASSWORD_FILES vault password file -v, --verbose verbose mode (-vvv for more, -vvvv to enable connection debugging)

二、创建加密文件

[root@ansible-server ansible]# ansible-vault create user_file New Vault password: Confirm New Vault password: user_name: bob [root@ansible-server ansible]# cat user_file $ANSIBLE_VAULT;1.1;AES256 39303734363366613735306537356562346330666431353263383030393663313638346339626232 6534366330323163353431326561303066623132623365310a326331626362623739343163636435 64656538346261636133373037303838633931313334313838666462336432616561366138393961 3234643064396561640a643937383537613862633839353064363231376339333138376532356534 3135 #编辑playbook [root@ansible-server ansible]# vim add_user.yml --- - hosts: all vars_files: user_file tasks: - name: create user user: name: '{{ user_name }}' state: present #执行playbook [root@ansible-server ansible]# ansible-playbook add_user.yml --ask-vault-pass Vault password: PLAY [all] ********************************************************************************************************* TASK [Gathering Facts] ********************************************************************************************* ok: [node02] ok: [node03] ok: [node04] ok: [node01] TASK [create user] ************************************************************************************************* ok: [node02] ok: [node01] ok: [node04] ok: [node03] PLAY RECAP ********************************************************************************************************* node01 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 node02 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 node03 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 node04 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 ##另外，还可以创建密码文件，用于playbook的执行和用户文件的查看、编辑以及更改 #常见密码文件 [root@ansible-server ansible]# echo '123' > passwdfile #执行playbook [root@ansible-server ansible]# ansible-playbook add_user.yml --vault-password-file passwdfile PLAY [all] ********************************************************************************************************* TASK [Gathering Facts] ********************************************************************************************* ok: [node01] ok: [node02] ok: [node03] ok: [node04] TASK [create user] ************************************************************************************************* ok: [node01] ok: [node03] ok: [node02] ok: [node04] PLAY RECAP ********************************************************************************************************* node01 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 node02 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 node03 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 node04 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

三、解密密码文件

[root@ansible-server ansible]# ansible-vault decrypt user_file Vault password: Decryption successful [root@ansible-server ansible]# cat user_file user_name: bob

四、加密密码文件

[root@ansible-server ansible]# ansible-vault encrypt user_file --vault-password-file passwdfile Encryption successful [root@ansible-server ansible]# cat user_file $ANSIBLE_VAULT;1.1;AES256 61393833343530313039613366613035366462373230323165663163623434393162363764393163 3966303535336435323066373564303134396138663761340a336363313437303130303739383433 32616439366363613234643863363131313834353461623233333435613833646661396139663065 3134663162393231660a306265383932313636306565346266653936313338626664653436376437 3064

五、查看密码文件

[root@ansible-server ansible]# ansible-vault view user_file --vault-password-file passwdfile user_name: bob

六、编辑密码文件

#更改文件内容 [root@ansible-server ansible]# ansible-vault edit user_file --vault-password-file passwdfile user_name: tom user_name: tom #查看文件内容 [root@ansible-server ansible]# ansible-vault view user_file --vault-password-file passwdfile user_name: tom user_name: tom

七、更改密码文件的密码

[root@ansible-server ansible]# ansible-vault rekey user_file Vault password: New Vault password: Confirm New Vault password: Rekey successful

Processed: 0.008, SQL: 9