This is an example of using a cert file generated by each users private keys, which can then be used to decrypt a single Ansible Vault secret and allows running an Ansible Repo without a user requiring anything more than a local private key
- 1 - Generate Ansible vault master key and encrypt against each of our desired users certificate, allowing each user to have access to the master key.
- 2 - Insert a Secret using the above Ansible Vault key
- 3 - Print out or make use of the encrypted secret.
- ((NOTE)) - Automatic decryption of the above Ansible Vault master key happens by way of the line
vault_password_file=pull_vault_password.sh
inside ansible.cfg which calls a script which automatically uses your private key to decrypt vault master key.
The first steps are for each user to generate a public key certificate from their own private keys. Replacing NAMEHERE with your own name such as rick or stuart
openssl req -x509 -new -key ~/.ssh/id_rsa -nodes -subj "/C=GB/ST=*/L=*/O=*/OU=*/CN=NAMEHERE/"
Move into the create_secrets folder
Next this data need to be placed inside of the create_secrets/1_generate_vault_master_password.yml
file at the top. This is a simple example playbook which will generate the Ansible Master key and place it into a location. It will ask what you desire the master password to be and then encrypt it against the list of provided certificates.
ansible-playbook 1_generate_vault_master_password.yml
Stay in the create_secrets folder
The final step is to create Ansible Vault secrets against the current master key, http://docs.ansible.com/ansible/2.4/vault.html I have provided an example which takes input and spits out Ansible Vault data. This is based on the above generated master key, it will then place the data into use_secrets/vault_data.yml
ready to be printed
ansible-playbook 2_generate_vault_variable.yml
Move into the use_secrets folder and run playbook
ansible-playbook 3_print_vault_secret.yml