At my company we use Azure cloud services. For our local department we want to setup a set of Linux servers. These servers are used to form a test setup.
To setup and maintain these servers we chose to use Ansible. To store secrets such as login details, we use Azure keyvault. Or we can use a ansible-vault encrypted file with the password stored in the Azure keyvault.
This is were the problem is. If we were to perform the following Ansible playbook: (based on this documentation)
---
- hosts: linux-servers
connection: local
collections:
- azure.azcollection
vars:
vault_name: <key_vault_name>
secret_name: <password_name>
resource_group: <resource_group_name
vault_uri: <vault_uri_>
tasks:
- name: Get decrypt password.
block:
- name: Get secret value
azure_rm_keyvaultsecret_info:
vault_uri: "{{ vault_uri }}"
name: "{{ secret_name }}"
register: kvSecret
- name: set secret fact
set_fact: decrypt_password="{{ kvSecret['secrets'][0]['secret'] }}"
- name: Output key vault secret
debug:
msg="{{ decrypt_password }}"
- name: Perform some management stuff
file:
path: /opt/testfile.ext
owner: test
group: test
mode: '0666'
We are perfectly fine to obtain the password or any other values.
However we want to use this obtained password to decrypt the ansible-vault files which contains the login for each of the linux-servers.
This works well, as long as we do not use ansible-vault encrypted files, however we do want to use those as they contain the ssh logins for the servers.
From what I read from the documentation, it is only possible to provide the vault password via:
- Prompt
- File
- Script file (python).
My question here is the following.
Is there something we are missing? Is it possible to have a role/include precede the overall playbooks to obtain the ansible-vault password and decrypt the files?
Any pointers are alternatives are much appreciated.
