17

Introduction

On a private CI's and Source Control Repositories like Gitlab-ce it is possible to copy an ~/.vault_pass.txt to the server and let it use by the CI to decrypt files using Ansible.

Problem

On public CI's and Source Control Repositories like Bitbucket it is not possible to copy a ~/.vault_pass.txt to the CI server it self.

Discussion

In Bitbucket it is possible to define encrypted variables, but when this file is checked the only VAULT related variables are:

  • ANSIBLE_ASK_VAULT_PASS
  • ANSIBLE_VAULT_PASSWORD_FILE

These variables are not an option to solve the issue as when the ANSIBLE_ASK_VAULT_PASS is set ansible-vault still prompts:

user@host $
Vault password:

When the same password is entered it can open the encrypted file, but the aim is to open the file without needing a file or entering a password in a prompt.

Another attempt to solve the issue was running export ANSIBLE_ASK_VAULT_PASS=<ansible-vault-password>, but the interactive mode persists.

Another option is export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt, but then this file needs to be pushed to the repository, but source Control repositories should not contain passwords.

030
  • 13,383
  • 17
  • 76
  • 178

3 Answers3

13

--vault-password-file can instead point to an executable script that writes to stdout. This little-known feature should solve your problem.

First, write a simple, executable script that prints a system environment variable, and check that into your source control. Then, use Bitbucket's encrypted variable feature to set that environment variable to your ansible-vault secret. Finally, execute like so:

ansible-playbook site.yml --vault-password-file ./mypass.sh.

References:

  1. http://docs.ansible.com/ansible/playbooks_vault.html#running-a-playbook-with-vault

  2. https://groups.google.com/forum/#!topic/ansible-devel/1vFc3y6Ogto

Woodland
  • 1,338
  • 8
  • 14
3

Using

ansible-playbook site.yml --vault-password-file ./mypass.sh

resulted in:

ERROR! Problem running vault password script / p a t h / t o
/ e c h o _ v a u l t _ p a s s . s h ([Errno 8] Exec format error). If this is 
not a script, remove the executable bit from the file.

Based on this post the following was defined in bitbucket-pipelines:

image: docker:latest

pipelines:
  default:
    - step:
        script:
          - echo $ANSIBLE_VAULT_PASSWORD > .vault_password.txt
          - ansible-playbook -i ansible/inventory ansible/site.yml --vault-password-file .vault_password.txt
030
  • 13,383
  • 17
  • 76
  • 178
-1

You could have a test set up that does not run production, and load different files for those.

Create a host_vars/localhost/vault that only works for the local test installation.

That way you could use a open vault password that works only for that local host vault.

Findarato
  • 1