EX294 Red Hat Certified Engineer RHCE – Using Advanced Ansible Features – Ansible Vault and Templates Part 4

7. Introducing and Understanding Ansible Vaults With Example Playbook

Hello, welcome to this lecture. In this lecture we’ll learn about ansible vault. Ansible vault as name indicates is a feature of ansible to keep sensitive data such as passwords or keys in encrypted files rather than as plain text in playbooks or roles. We’ll use ansible dashboard command line for this purpose. Now, encryption can happen at file level or at variable level. At file level, any structured data file used in ansible can be encrypted.

For example ensable facts, hostwars GroupWise, variable files, playbooks and other files. At variable level, we can encrypt passwords and other sensitive variables to be used in the playbooks. Now let’s move to the ensable control node to understand how we can encrypt files and variables. Now we are on nsible control node and I am logged in as nsible user. First of all, we’ll display help for ensable vault command line. Ensable vault help so here in users line we can see different subcommands which can be used with ansible dashboard command line. We can use create with ansible dashboard command line to create encrypted files.

We can use decrypt to decrypt encrypted file. We can use addit to edit some encrypted file. We can use encrypt to encrypt some file which is already existing. This is a difference between encrypt and create. Create we use to create new file to contain encrypted info. We use encrypt to encrypt already existing file with plain text. We can use encrypt underscore string to encrypt variables such as passwords. Then next rekey we can use rekey subcommand with ansible virt command line to change vote password. Now, what is this vote password? When we encrypt some file or variable using ensable virt command line, we need to set vote password. Same password can be used to decrypt the information. Sorry, key subcommand is used to change or rotate vote password. Last, we can use view to view encrypted file. Of course, here we need to provide vault password. Then we have options. We can use options as listed here. Ask vast ask for vault password.

For example, if we encrypt some variable to be used in playbook and then we need to execute the playbook, then we must use ask dashboard pass so that ansible will ask for word password which is needed to decrypt the variable which has been encrypted in the playbook. If you don’t use this flag, playbook execution will fail with error.

No secrets found. Then we have volt ID. We can use this option to specify file containing VR. We can save vote password in some file. Then we can use vid to specify path of file containing vote password. So instead of using ask vass, we can use vault ID and then we can specify file containing vassword. Both will work perfectly fine. Vassword File we can use this option in similar way as that of vid to specify file containing vassword. Now we understood we can use vid to specify file containing VT password. But we can use voltid option for one more purpose. To differentiate between different volts. It will be more clear later on.

Now I will clear the screen. Now, to understand variable level encryption, we’ll create one playbook with name VML. Here we’ll set m host one as target. We can set any host as target. Because we are not going to do any action on the target. We just need to display some variable. I will set gather underscore facts to false. We don’t need an symbol facts for this example here in the VARs section, I will define one variable with name password and I will assign value to this variable as Nsieble. Now in the tasks section, we’ll use debug material. To display this variable, we know we need to use debug module. And here we’ll use MSG. We know how we can refer to some variable using Ginger two expression. This is all we need to do. This is simple playbook. And this will simply display value assigned to password variable which is NCBL. I will save and create.

Now I will execute this playbook. So here we have password mcbull. Now what we’ll do we’ll encrypt this variable. We know how we can do this. To encrypt variable, we must use encrypt underscore string subcommand ansible dash volt encrypt underscore string. Then here by using dash dash name, we need to specify variable name which is password. This must be enclosed in single quotation marks. Then here we need to specify value assigned to this variable which is Nsbull.

Again, this must be enclosed in quotation marks. Then here we can specify arc dash volt path. Even if we don’t specify this flag anyway, it will always ask to enter or to set password. Here we need to provide word password. I will set password as password. Now we need to confirm the password. Now variable has been encrypted. This is encrypted value for password variable. Now what we’ll do we’ll copy this. I will clear the screen again, we’ll open this file now, here I will paste this variable. We’ll remove this line. Now we have password variable in encrypted format. No one can read this.

This is objective behind using ansible vault. Now we’ll save this and quit. Now what happens if we again execute this playbook? So this is failed. With this error, we know why. So we have error attempting to decrypt but no volt secrets found. Now what we need to do we must use ask vash pass flag to execute this playbook. So that it will ask to enter volt password which will be used to decrypt this variable. Ask dashvolt pass. Now here we need to enter vassword. We know password is password now this time playbook execution is successful. So in this way we can use encrypted passwords or other variables in the playbook. But we must use ask VAS flag to execute playbook. And we need to enter volt password. Other alternative is use vid. Then specify file containing world password. I will come to this later on. I will clear the screen.

Now we know how we can encrypt variables. Next, we’ll learn how we can encrypt file. If you remember, we created one. File with name password dot YML, which contains password info of some users of three users. We’ll encrypt that file. I will display file before encrypting. We have this info in this file. We know this file is used in. One of our playbooks with name create underscore users YML. Now we’ll move further to encrypt this file. We know what we need to do. In this case we must use ansible dashboard with encrypt subcommand.

Then here we need to provide file to be encrypted here. I will not use ask vast flag. Anyway, it will ask to set world password. Now we need to set vote password. I will set password as password. Encryption successful. Now, again, I will display this file now. Contents are in encrypted format. I will clear the screen now. What will happen if we execute Playbook using this variable file? nsible playbook create underscore users YML so here we have error attempting to decrypt. But no vault secrets found. We knew this will happen. We also know how to solve this.

We must use Ask Vast Flag so that it will ask for V password. Then here. We need to provide password now. Everything is fine. Playbook execution is in progress. So in this way we can use encrypted files in the playbook. Now next what I will do, I will create one file with name Vs. And here I will specify vault. Password, which in our case is password. Now again I will execute same playbook.

But instead of using ask VAS flag, we’ll use vid. We know here we need to specify absolute or relative path of file containing world password. We know we stored our password in this file. I’m using relative path here, so it’s working fine as expected. So in this way we can save or store password in some file. Then using world. ID, we can specify path of file containing world password now. I will clear the screen now. Next how we can change vassword? We know we can use rekey subcommand with ansible vand line. We’ll change vassword for password dot VML file ansible v. Then here we’ll use rekey. Then here we need to specify file for which we want to change world password. Of course, this must be encrypted file. Here we need to provide old password or current password first, which is password new world password. I will use new password. Confirm new world password. rekey successful so vote password has been changed. Now what I will do? I will execute same playbook again using Vid. Then I will specify file containing old password to see what happens.

We have error because we have old password in this file. Now I will update this file with new password. This is all we need to do this time. This should work perfectly fine. In this way we can change rotate world password. I will clear the screen. Now in last we’ll learn how we can use vid to assign vids or name to ensable volts. And what is use of this? To understand this, first I will encrypt playbook vault YML which already contains password variable which is encrypted. I will display this playbook again for your reference. So here we have password variable which is encrypted. And we know what password is password. Now what I will do, I will encrypt this playbook as well. And we’ll see what will happen. And sibel vault. Then here we must use encrypt. Then here we need to provide playbook file name. I will set password as password one. So it has been encrypted.

I will display this playbook again. Now we have playbook contents in encrypted format. We’ll execute this playbook again we know we need to use ask vast flag. Here we need to provide vault password. But we don’t know which password we need to provide here for variable or for playbook. Because both are encrypted. I will try password, which is password for variable. We have error. No world secrets were found. Now again we’ll execute same playbook. This time I will provide word password for playbook itself, which is password one. Again we have error. Decryption failed. No world secrets were found. Know how to deal with such situation? I will clear the screen. To deal with such situation, where we need to provide multiple world passwords for playbook execution. We can use vid option to assign vote names to different ansible villain. How we can do this? But before that we must decrypt this playbook. We know how we can do that. And siebel world decrypt.

Then here playbook file name. We know world password is password one. I will enter password decryption successful. I will display contents of this playbook. Now we have decrypted playbook, but still we are using this variable in encrypted form. I will open this file and I will remove this. And again I will set this password variable to Msible. I will save and quit. Now again we’ll encrypt this password variable and playbook itself. But this time by using VIT to assign vid or names to these ansible volts ansible volt. First I will encrypt variable. We know we need to use encrypt underscore string. Then here we must use voltid. Now here we can specify vault name or ID. I will use password adherate prompt. It will prompt to set vassword. Then here again we’ll use name to specify variable. We know how we can do this. This is all we need to do. Again I will use vault password as password. This time you might have noticed this password in the brackets. This is vault ID or volt name. So variable has been encrypted. I will copy this. I will open the playbook. And I will paste this encrypted variable. Here again we need to remove this line this is all we need to do.

Novel encrypt playbook and sylv. Now we need to use encrypt here we must use Vid. Now we can specify Vid or name. I will use Playbook adherate prompt. Then here we need to provide file name again you can see Playbook in the bracket. So this is vault name. I will set password as password one encryption successful. I will display contents of Playbook. No playbook is in encrypted format now again we’ll execute this playbook. Here we must use vote ID. Then here we specify password authorate prompt then again vid playbook prompt.

Now we are telling ansible to prompt for two world passwords one four ansible vid variety password and other four ansible vid playbook. In this way we can differentiate between multiple vasswords. Now here we can see first we need to provide password for variable. I will provide password as password. Next we need to provide volt password for playbook itself. This is clear from this vote ID or name we know password is password one we have output. In this way we can use vid to assign vote names to different ansible votes.

So in this lecture we learned how we can encrypt variable and how we can use encrypted variable in playbook. We also learned how we can encrypt some file or playbook. We also learnt how we can change or rotate virt password. And then last we also learnt how we can use vid to assign virt names to different ansible. Voice can be used to specify file containing world password this is all about this lecture in coming lectures we will be doing tasks related to ansible vault here on this page you can find more info about ansible world what can be encrypted with vault file level encryption? We already discussed about variable level encryption, vault IDs and multiple world passwords we discussed about this you can just go.

8. Task: Creating Encrypted File using Ansible Vault Command Line

Hello, welcome to this lecture. In this lecture we learn how we can create encrypted file. In last lecture we already understood how we can encrypt some existing file and how we can decrypt file. Also we understood how we can encrypt some string. Also we know how to rekey or how to change vault password for some encrypted file. Here we’ll learn how we can create new file containing encrypted information. So here is task description using ansible vansable dashboard create an encrypted file secret YML containing below information. Set word password as password. So file should contain this information. Password one Rscsa ex 200 password two RSCE ex 300 we know we need to use this command with create subcommand this time. Because we are going to create new file. Now let’s move to the ansible control node and start doing this task.

Navy run ansible control node and I am logged in as ansible user. This is simple task. We know what to do. We’ll create file using an siebel vault command line. Then here we must use create. This time we are going to create new file containing information which will be encrypted create then here file name. It will ask to set world password as per task. We need to set password as password. We need to confirm the password now. Here we can type the information. We need to add here password one colon space Rscsa ex 200 password two RSCE ex 303 doors will save and quit. Now I will display this file. We can see information is already encrypted. We know how to view encrypted file and siebel volt. Then here we must use view then secret dot. We need to provide VT password here which is password. So in this way we can view encrypted file. In case you need to decrypt file you can use ansible v then decrypt subcommand. This is all about this task.

9. Task: Editing and Adding Content to Encrypted File

Hello, welcome to this lecture. In this lecture, we’ll learn how we can edit encrypted file without decrypting file. Here is task description. Edit the encrypted file secret YML to add below information to file. File should be edited without decrypting scripting it. So we need to add this information to this encrypted file which we encrypted in last task condition. Here is we should note decrypt file to add this info. In this case, we must use edit subcommand with ansible dashboard. Now let’s move to the ansible control node and start doing this task. Now we are on ansible control node and I am logged in as ansible user in this task, we need to add information to encrypted file. This is simple task but important one.

We know how to do this ENS. Then here we must use addit. Here we’ll provide file name. It will prompt to ask for v password which is password. Now here we can add information. We need to add password. Three. RSC. Ex. 294. This is all we need to do. Again, I will display this file. We have information in encrypted format. We’ll view this file using view command. We need to provide world password so we have information updated. This is all about this task.

10. Task: Changing(Rekey) Ansible Vault Password

Hello, welcome to this lecture. In this lecture, we learn how we can change or rotate VR. This is something purely understood. Here is task description using NSAW VM line change VR for secret dot VML file. We know old password is password. Set new old password as new password. Here we know which command to use ensible v. Then we must use rekey subcommand. This is important for the exam. Then here we need to provide encrypted file name. Let’s move to the ensuing control node and start doing this task. Navy own ensable control node to change bold password.

What we need to do ensable bold rekey then file name. It will prompt to ask for old password which is password. New world password as per task requirement will set new password rekey successful. Now using new password, I will display or view this file ansible dashboard view secret YML. Here I will provide new password which is new password. This is all about this task. Here I also conclude this section. In next section we’ll learn how to create ansible roles. How to download ansible roles from ansible galaxy. And how to use downloaded ansible roles. Also we learn how we can use system roles.

• Category: Uncategorized