Styjun

We get more abuse than anyone else

When designing an adventure, how can I ensure a continuous player experience in a setting that's likely to favor TPKs?

How do you give a date interval with diffuse dates?

How did Jayne know when to shoot?

Is this Android phone Android 9.0 or Android 6.0?

Why are there few or no black super GMs?

Why don't humans perceive waves as twice the frequency they are?

Why does a tetrahedral molecule like methane have a dipole moment of zero?

Is surviving this (blood loss) scenario possible?

What happens if a company buys back all of its shares?

What is the period of Langton's ant on a torus?

Everyone but three

Strategy to pay off revolving debt while building reserve savings fund?

Company looks for long-term employees, but I know I won't be interested in staying long

What is this green alien supposed to be on the American covers of the "Hitchhiker's Guide to the Galaxy"?

How to interpret a promising preprint that was never published?

Why isn't a binary file shown as 0s and 1s?

Amira L'Akum not on Shabbat

How to draw a winding on a toroid of a circular cross section?

Should I use a resistor between the gate driver and MOSFET (gate pin)?

Inscriptio Labyrinthica

How fast does a character need to move to be effectively invisible?

How would you say "Sorry, that was a mistake on my part"?

What were the problems on the Apollo 11 lunar module?

Using encrypted variable with Ansible-Vault for network automation

Ansible to Cisco IOS via SSH, with “authentication failed” messageAnsible-vault doesn't work with --vault-password-fileFrom an Ansible inventory file, is it possible to include variables from another file?Encrypting ansible inventory fileDoes ansible transfer files securely?Ansible with “Alternative Directory Layout” and using vaultsAnsible Vault not reading defined variablesAnsible - dynamically prompt vault password when neededHow can I use an ansible-vault encrypted password in inventory file?Unable to retrieve vault secrets in Ansible

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

0

I have searched lots of tutorials on web & Youtube, but no luck.

I want to configure Cisco switch via Ansible, I already have it setup, works flawlessly.. but I want to store the passwords (for vty lines, console, enable secret...) ideally in hosts file encrypted via Ansible-Vault as variables so in my .yml file I can access them. I want them in hosts file, because we have different passwords for ASW, DSW and CSW so it could be easier to manage.

I generated encrypted variable in CLI:

ansible-vault encrypt_string enable_password --ask-vault-pass

I copy the value to the variable in /etc/ansible/hosts:

...
[2960-X:vars]
ansible_become=yes
ansible_become_method=enable
ansible_network_os=ios
ansible_user=admin
enable_password= !vault |
 $ANSIBLE_VAULT;1.1;AES256
 .....

In config.yml:

 - name: Set enable password
 ios_config:
 lines:
 - enable secret " enable_password "

Right now, the password is going to be set as " !vault |"
I am not sure if this is even best practise, I read recommendations for this but all I could find was about server automation, not networks.

I'm running Ansible 2.8.0

Any help is appreciated, thank you.

encryption automation ansible cisco ansible-vault

share|improve this question

asked Mar 26 at 10:03

glogloglikglogloglik

622 bronze badges

add a comment | 

0

I have searched lots of tutorials on web & Youtube, but no luck.

I want to configure Cisco switch via Ansible, I already have it setup, works flawlessly.. but I want to store the passwords (for vty lines, console, enable secret...) ideally in hosts file encrypted via Ansible-Vault as variables so in my .yml file I can access them. I want them in hosts file, because we have different passwords for ASW, DSW and CSW so it could be easier to manage.

I generated encrypted variable in CLI:

ansible-vault encrypt_string enable_password --ask-vault-pass

I copy the value to the variable in /etc/ansible/hosts:

...
[2960-X:vars]
ansible_become=yes
ansible_become_method=enable
ansible_network_os=ios
ansible_user=admin
enable_password= !vault |
 $ANSIBLE_VAULT;1.1;AES256
 .....

In config.yml:

 - name: Set enable password
 ios_config:
 lines:
 - enable secret " enable_password "

Right now, the password is going to be set as " !vault |"
I am not sure if this is even best practise, I read recommendations for this but all I could find was about server automation, not networks.

I'm running Ansible 2.8.0

Any help is appreciated, thank you.

encryption automation ansible cisco ansible-vault

share|improve this question

asked Mar 26 at 10:03

glogloglikglogloglik

622 bronze badges

add a comment | 

I have searched lots of tutorials on web & Youtube, but no luck.

I want to configure Cisco switch via Ansible, I already have it setup, works flawlessly.. but I want to store the passwords (for vty lines, console, enable secret...) ideally in hosts file encrypted via Ansible-Vault as variables so in my .yml file I can access them. I want them in hosts file, because we have different passwords for ASW, DSW and CSW so it could be easier to manage.

I generated encrypted variable in CLI:

ansible-vault encrypt_string enable_password --ask-vault-pass

I copy the value to the variable in /etc/ansible/hosts:

...
[2960-X:vars]
ansible_become=yes
ansible_become_method=enable
ansible_network_os=ios
ansible_user=admin
enable_password= !vault |
 $ANSIBLE_VAULT;1.1;AES256
 .....

In config.yml:

 - name: Set enable password
 ios_config:
 lines:
 - enable secret " enable_password "

Right now, the password is going to be set as " !vault |"
I am not sure if this is even best practise, I read recommendations for this but all I could find was about server automation, not networks.

I'm running Ansible 2.8.0

Any help is appreciated, thank you.

encryption automation ansible cisco ansible-vault

share|improve this question

asked Mar 26 at 10:03

glogloglikglogloglik

622 bronze badges

ansible-vault encrypt_string enable_password --ask-vault-pass

...
[2960-X:vars]
ansible_become=yes
ansible_become_method=enable
ansible_network_os=ios
ansible_user=admin
enable_password= !vault |
 $ANSIBLE_VAULT;1.1;AES256
 .....

 - name: Set enable password
 ios_config:
 lines:
 - enable secret " enable_password "

share|improve this question

asked Mar 26 at 10:03

glogloglikglogloglik

622 bronze badges

share|improve this question

asked Mar 26 at 10:03

glogloglikglogloglik

622 bronze badges

asked Mar 26 at 10:03

glogloglikglogloglik

622 bronze badges

asked Mar 26 at 10:03

glogloglikglogloglik

622 bronze badges

1 Answer
1

active

oldest

votes

0

Let me quote from Variables and Vaults

When running a playbook, Ansible finds the variables in the unencrypted file and all sensitive variables come from the encrypted file.

A best practice approach for this is to start with a group_vars/ subdirectory named after the group. Inside of this subdirectory, create two files named vars and vault. Inside of the vars file, define all of the variables needed, including any sensitive ones. Next, copy all of the sensitive variables over to the vault file and prefix these variables with vault_. You should adjust the variables in the vars file to point to the matching vault_ variables using jinja2 syntax, and ensure that the vault file is vault encrypted.

This scheme isn't limited to group_vars/ only and can be applied to any place where the variables come from.

share|improve this answer

answered Mar 26 at 11:49

Vladimir BotkaVladimir Botka

4,96222 gold badges66 silver badges1919 bronze badges

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55354350%2fusing-encrypted-variable-with-ansible-vault-for-network-automation%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

Let me quote from Variables and Vaults

When running a playbook, Ansible finds the variables in the unencrypted file and all sensitive variables come from the encrypted file.

A best practice approach for this is to start with a group_vars/ subdirectory named after the group. Inside of this subdirectory, create two files named vars and vault. Inside of the vars file, define all of the variables needed, including any sensitive ones. Next, copy all of the sensitive variables over to the vault file and prefix these variables with vault_. You should adjust the variables in the vars file to point to the matching vault_ variables using jinja2 syntax, and ensure that the vault file is vault encrypted.

This scheme isn't limited to group_vars/ only and can be applied to any place where the variables come from.

share|improve this answer

answered Mar 26 at 11:49

Vladimir BotkaVladimir Botka

4,96222 gold badges66 silver badges1919 bronze badges

add a comment | 

0

Let me quote from Variables and Vaults

When running a playbook, Ansible finds the variables in the unencrypted file and all sensitive variables come from the encrypted file.

A best practice approach for this is to start with a group_vars/ subdirectory named after the group. Inside of this subdirectory, create two files named vars and vault. Inside of the vars file, define all of the variables needed, including any sensitive ones. Next, copy all of the sensitive variables over to the vault file and prefix these variables with vault_. You should adjust the variables in the vars file to point to the matching vault_ variables using jinja2 syntax, and ensure that the vault file is vault encrypted.

This scheme isn't limited to group_vars/ only and can be applied to any place where the variables come from.

share|improve this answer

answered Mar 26 at 11:49

Vladimir BotkaVladimir Botka

4,96222 gold badges66 silver badges1919 bronze badges

add a comment | 

Let me quote from Variables and Vaults

When running a playbook, Ansible finds the variables in the unencrypted file and all sensitive variables come from the encrypted file.

A best practice approach for this is to start with a group_vars/ subdirectory named after the group. Inside of this subdirectory, create two files named vars and vault. Inside of the vars file, define all of the variables needed, including any sensitive ones. Next, copy all of the sensitive variables over to the vault file and prefix these variables with vault_. You should adjust the variables in the vars file to point to the matching vault_ variables using jinja2 syntax, and ensure that the vault file is vault encrypted.

This scheme isn't limited to group_vars/ only and can be applied to any place where the variables come from.

share|improve this answer

answered Mar 26 at 11:49

Vladimir BotkaVladimir Botka

4,96222 gold badges66 silver badges1919 bronze badges

share|improve this answer

answered Mar 26 at 11:49

Vladimir BotkaVladimir Botka

4,96222 gold badges66 silver badges1919 bronze badges

answered Mar 26 at 11:49

Vladimir BotkaVladimir Botka

4,96222 gold badges66 silver badges1919 bronze badges

answered Mar 26 at 11:49

Vladimir BotkaVladimir Botka

4,96222 gold badges66 silver badges1919 bronze badges