我如何使用“ansible-vault”将“ansible”主机凭据存储在不同的文件中?
现在我的库存文件如下所示:(使用基于密码的身份验证)
[testvm]
104.231.213.32 ansible_user=worker ansible_password=Worker@12345
52.176.22.203 ansible_user=worker2 ansible_password=Worker2@12345如何使用ansible-地下室将用户名和密码存储在不同的文件中,并在运行时使用该文件?
我尝试过在.yml中加密单个变量并重新格式化主机文件,方法是:
ansible-vault encrypt_string 'Worker@12345'--vault-id admin@prompt --name 'ansible_password'这导致:
all:
children:
ubuntu:
hosts:
104.231.213.32:
ansible_user: !vault |
$ANSIBLE_VAULT;1.2;AES256;admin
33363434333133333263396366373038613637626233666136383431346532626561343633323034
6133653864353638353830323462363832633131633566300a396236656564366665656466383436
35643631373230393762636638346564376361343864653833343864346262633734393863336335
3133633534646631620a353865323561363966396461626664353163313430653064396431633637
3962
ansible_password: !vault |
$ANSIBLE_VAULT;1.2;AES256;admin
32353137656161646166626661353763363235643634383338623735623964626134343035383430
3564346262653066383565636236313462663862336361300a623139373831633662633734626166
62316465386531333261323935383264383262623039346664393036313030306131633936646631
6233373962373966370a373363343432353662363037343837653463366337653230623161313633
3633
52.176.22.203:
ansible_user: !vault |
$ANSIBLE_VAULT;1.2;AES256;admin
38663536393035633533333538646365306439306133343861343363323164663366653430393333
3235383435386630343231323338383366353462616265610a316338613861383334336436373337
63616538656439396162626264356566313837613564663365356337386134363936616166623436
3436663933373537320a653536396538636165376239653637653465323461313764323630383533
3661
ansible_password: !vault |
$ANSIBLE_VAULT;1.2;AES256;admin
65306434346538643464353464633762663765613636396638373735333465356237613033616666
3336366262363064396538373664636564616561323231360a616537366261613332333633666439
36303130353166613339366432386330333964643734633235346137316238633132316661346563
6138666136653536640a393637383038363266646239306663626632663766396663643632633934
6537这种方法的问题是,如果我在多个服务器上有不同的用户名和密码,我必须用相同的保险库id和密码分别加密每个凭据。如果我想对主机进行不同的分组,我将不得不重新排列整个文件,这个文件已经太大了。
相反,我正在寻找一种解决方案,使我能够将我的in保存在一个文件中(以便我可以对它们进行任何分组),并将与上述in关联的凭据存储在一个不同的加密文件中,并在运行时使用该文件。
因此,最终的结构应该如下所示:
主机IP文件:
# /ansible/inventory/hostsIP
[testvm]
104.231.213.32
52.176.22.203主机凭据文件:(加密的Ofcourse)
# /ansible/inventory/hostsCredentials
104.231.213.32 ansible_user=worker ansible_password=Worker@12345
52.176.22.203 ansible_user=worker2 ansible_password=Worker2@12345还有一些命令,我可以在运行时将这两个命令链接起来。
回答 1
Stack Overflow用户
发布于 2022-07-25 15:49:42
我会这样做:
./inventory/group_vars/all/credentials.yaml
---
credentials:
104.231.213.32:
user: a_user
password: a_password
52.176.22.203:
user: an_other_user
password: an_other_password注:以上为未加密内容。您应该用ansible-vault encrypt ...加密,然后用ansible-vault edit ...编辑。
./inventory/group_vars/all/main.yml
---
ansible_user: "{{ credentials[inventory_hostname].user | d('default_user') }}"
ansible_password: "{{ credentials[inventory_hostname].password | d('default_password') }}"./inventory/main.yml
---
testvm:
hosts:
104.231.213.32:
52.176.22.203:您可以测试它是否使用了一个简单的即席命令:
ansible all -i inventory/ -m debug -a "msg='User: {{ ansible_user }} / Password: {{ ansible_password }}'"在上述情况下,应予以说明:
$ ansible all --ask-vault-pass -i inventory/ -m debug -a "msg='User: {{ ansible_user }} / Password: {{ ansible_password }}'"
Vault password:
104.231.213.32 | SUCCESS => {
"msg": "User: a_user / Password: a_password"
}
52.176.22.203 | SUCCESS => {
"msg": "User: an_other_user / Password: an_other_password"
}https://stackoverflow.com/questions/73109998
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号