考虑以下测试手册
vault.yaml---
- name: Ansible Vault
hosts: localhost
connection: local
gather_facts: false
vars_prompt:
- name: playbook_action
prompt: "Select an action to perform:\n
1) List encrypted variables\n
2) Update global password\n"
private: false
tasks:
- name: Encrypted Variables
when: playbook_action in ['1', '1)']
block:
- name: Set encrypted variables fact
ansible.builtin.set_fact:
encrypted_variables:
- ansible_password: '{{ ansible_password }}'
no_log: true
- name: List encrypted variables
ansible.builtin.debug:
var: encrypted_variables
- name: Global Password
when: playbook_action in ['2', '2)']
block:
- name: Set new global password
ansible.builtin.pause:
prompt: Password
echo: false
register: password
- name: Update global password
ansible.builtin.command:
cmd: ansible-vault encrypt_string {{ item | quote }} -n {{ item | quote }}
environment:
VAULT_PASSWORD: '{{ password.user_input }}'
loop:
- ansible_password
register: encrypted_variables
changed_when: true
no_log: true
- name: List encrypted variables
ansible.builtin.debug:
var: encrypted_variables.results | map(attribute = 'stdout')
跑步时:
ansible-playbook --ask-vault-pass vault.yaml
Vault password:
Select an action to perform:
1) List encrypted variables
2) Update global password
: 2
我希望剧本能够使用定义的环境
VAULT_PASSWORD编辑:我解决这个问题的唯一方法是创建一个临时的
password - name: Create password file
ansible.builtin.lineinfile:
line: '{{ password.user_input }}'
path: ./password
mode: '0644'
create: true
- name: Update global password
ansible.builtin.command:
cmd: ansible-vault encrypt_string {{ item | quote }} -n {{ item | quote }} --vault-pass-file ./password
loop:
- ansible_password
register: encrypted_variables
changed_when: true
no_log: true
- name: Delete password file
ansible.builtin.file:
path: ./password
state: absent
我仍然更喜欢使用定义到任务中的
VAULT_PASSWORD我希望剧本能够使用定义的环境 VAULT_PASSWORD 变量。
这在设计上是不可能的:Ansible 不使用这个变量,所以我不确定你的期望是基于什么。一般来说,您必须在提示时使用
--ask-vault-passwordANSIBLE_VAULT_PASSWORD_FILE