[Ansible] Vault

Vault

파일, 일부 텍스트를 암호화

• 파일 수준
  • 플레이북 전체
  • 인벤토리 변수 파일
  • include/import 작업 파일

Vault Password: AES 대칭키 알고리즘을 사용

• 단일 패스워드: 모든 파일을 똑같은 패스워드를 사용하여 암호화
  • --ask-vault-pass
  • --vault-password-file
• 멀티 패스워드: 담당하는 업무 별로 서로 다른 패스워드를 사용하여 암호화
  • --vault-id

ansible-vault

create

[vagrant@controller 11_vault]$ ansible-vault create encrypt.yml
New Vault password: 
Confirm New Vault password:

decrypt

[vagrant@controller 11_vault]$ ansible-vault decrypt encrypt.yml 
Vault password: 
Decryption successful

edit

[vagrant@controller 11_vault]$ ansible-vault edit encrypt.yml 
Vault password:

view

[vagrant@controller 11_vault]$ ansible-vault view encrypt.yml 
Vault password:

encrypt

[vagrant@controller 11_vault]$ ansible-vault encrypt encrypt.yml 
New Vault password: 
Confirm New Vault password: 
Encryption successful

rekey

[vagrant@controller 11_vault]$ ansible-vault rekey encrypt.yml 
Vault password: 
New Vault password: 
Confirm New Vault password: 
Rekey successful

vault password 옵션

[vagrant@controller 11_vault]$ echo "password" > vaultpass
[vagrant@controller 11_vault]$ cat vaultpass 
password
[vagrant@controller 11_vault]$ ansible-vault create a.yml --vault-password-file vaultpass
[vagrant@controller 11_vault]$ ansible-vault view a.yml --vault-password-file vaultpass 
- hosts: 192.168.100.11
  tasks:
    - debug:
        msg: hello world
[vagrant@controller 11_vault]$ echo "pass"> newvaultpass
[vagrant@controller 11_vault]$ cat newvaultpass 
pass
[vagrant@controller 11_vault]$ ansible-vault rekey a.yml --vault-password-file vaultpass -new-vault-password-file newvaultpass

안전하고 편하게 vault 를 사용하는 방법

ansible.cfg 환경 파일에 vault_password_file 경로를 미리 지정해서 해당 파일의 패스워드로 볼트를 암호화할 수 있다.

[vagrant@controller 11_vault]$ cat .vaultpass 
password
[vagrant@controller 11_vault]$ cat ansible.cfg 
[defaults]
vault_password_file = ./.vaultpass
[vagrant@controller 11_vault]$ ls -al
total 12
drwxrwxr-x. 2 vagrant vagrant  60 Apr 19 14:26 .
drwxrwxr-x. 9 vagrant vagrant 135 Apr 19 13:57 ..
-rw-rw-r--. 1 vagrant vagrant  46 Apr 19 14:25 ansible.cfg
-rw-------. 1 vagrant vagrant 355 Apr 19 14:26 plain.yml
-rw-------. 1 vagrant vagrant   9 Apr 19 14:14 .vaultpass

일부 문자열만 암호화

encrpyt string 으로 문자열을 암호화할 수 있다. 즉, 파일의 특정 부분만 암호화할 수 있다는 것.

**[vagrant@controller 11_vault]$ ansible-vault encrypt_string**
Reading plaintext input from stdin. (ctrl-d to end input)
**hello world**!vault |
          $ANSIBLE_VAULT;1.1;AES256
          64346132356464353761313733663336306135383163623831393835663965356166306566356430
          3630643266366131666630326638623030376165346134620a386234303632626431313530393961
          64613035643538313231666166623066326163613338383261386331316331393231656266353536
          3261353435613863300a373463356133363230646439393666333335313731336138353833343933
          3261
Encryption successful
**[vagrant@controller 11_vault]$ cat a.yml**
- hosts: 192.168.100.11
  vars:
    message: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          64346132356464353761313733663336306135383163623831393835663965356166306566356430
          3630643266366131666630326638623030376165346134620a386234303632626431313530393961
          64613035643538313231666166623066326163613338383261386331316331393231656266353536
          3261353435613863300a373463356133363230646439393666333335313731336138353833343933
          3261

  tasks:
    - debug:
        msg: "{{ message }}"
**[vagrant@controller 11_vault]$ ansible-playbook a.yml -b**

PLAY [192.168.100.11] *****************************************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************************
ok: [192.168.100.11]

TASK [debug] **************************************************************************************************************************************************
ok: [192.168.100.11] => {
    "msg": "hello world"
}

PLAY RECAP ****************************************************************************************************************************************************
192.168.100.11             : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

멀티 패스워드

공식 문서: https://docs.ansible.com/ansible/latest/user_guide/vault.html#creating-encrypted-variables

--vault-id 옵션 사용

--vault-id label@source id 를 구별해서 다른 패스워드를 사용할 수 있게 한다.

source

• prompt: 패스워드를 대화식의 프롬프트로 받는다.
  • --vault-id user1@prompt

  [vagrant@controller 11_vault]$ ansible-vault encrypt_string --vault-id user1@prompt
  New vault password (user1): 
  Confirm new vault password (user1): 
  Reading plaintext input from stdin. (ctrl-d to end input)
  hello
  !vault |
            $ANSIBLE_VAULT;1.2;AES256;user1
            64316636613731616235343437643834333637383135646562353038616137343664366263353964
            3439663830393063636634393932653737326134666561660a646539363562383836303336303437
            66353234313134313263653164663434636330356264666466633438613466343538636361386537
            3064323037323638640a396232633438316633306131316162393362643435393466636462316134
            3861
  Encryption successful
  [vagrant@controller 11_vault]$ ansible-vault encrypt_string --vault-id user2@prompt
  New vault password (user2): 
  Confirm new vault password (user2): 
  Reading plaintext input from stdin. (ctrl-d to end input)
  world
  !vault |
            $ANSIBLE_VAULT;1.2;AES256;user2
            64346232623537313134623265636337383534623932393264356439653237303862396539373862
            3437366235396238356433373431383261616233363530330a616634336631366134373036613032
            64333435353138303339626639353239643731636266353261653866373634323936633365303830
            3239393364316665390a323961386237303631343035336266333561376362336265306139343432
            3739
  Encryption successful
  [vagrant@controller 11_vault]$ ansible-playbook a.yml --vault-id user1@prompt --vault-id user2@prompt
  Vault password (user1): 
  Vault password (user2): 
  
  PLAY [192.168.100.11] *****************************************************************************************************************************************
  
  TASK [Gathering Facts] ****************************************************************************************************************************************
  ok: [192.168.100.11]
  
  TASK [debug] **************************************************************************************************************************************************
  ok: [192.168.100.11] => {
      "msg": "hello\\n"
  }
  
  TASK [debug] **************************************************************************************************************************************************
  ok: [192.168.100.11] => {
      "msg": "world\\n"
  }
  
  PLAY RECAP ****************************************************************************************************************************************************
  192.168.100.11             : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
  

• file: 파일에서 패스워드를 참조
  • --vault-id user2@.vaultpass

  **[vagrant@controller 11_vault]$ echo "message1: hello" > var1.yml
  [vagrant@controller 11_vault]$ echo "message2: world" > var2.yml
  [vagrant@controller 11_vault]$ ls**
  ansible.cfg  a.yml  inven.ini  test.yml  var1.yml  var2.yml  var.yml
  **[vagrant@controller 11_vault]$ echo "pass1" > pass1
  [vagrant@controller 11_vault]$ echo "pass2" > pass2
  [vagrant@controller 11_vault]$ chmod 600 pass1 pass2
  [vagrant@controller 11_vault]$ ansible-vault encrypt var1.yml --vault-id user1@pass1
  Encryption successful**
  **[vagrant@controller 11_vault]$ ansible-vault encrypt var2.yml --vault-id user1@pass2
  Encryption successful
  [vagrant@controller 11_vault]$ ansible-playbook a.yml --vault-id use1@pass1 --vault-id user1@pass2**
  
  PLAY [192.168.100.11] *****************************************************************************************************************************************
  
  TASK [Gathering Facts] ****************************************************************************************************************************************
  ok: [192.168.100.11]
  
  TASK [debug] **************************************************************************************************************************************************
  ok: [192.168.100.11] => {
      "msg": "hello"
  }
  
  TASK [debug] **************************************************************************************************************************************************
  ok: [192.168.100.11] => {
      "msg": "world"
  }
  
  PLAY RECAP ****************************************************************************************************************************************************
  192.168.100.11             : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
  

• script: 패스워드를 참조할 수 있는 스크립트, 파이썬으로 만들던 배쉬 스크립트로 만들던 상관없다. 가장 안전한 방법이다
  • 예: 패스워드는 MySQL 저장, python 코드로 DB에서 패스워드를 가져올 수 있는 스크립트를 작성한다.
  • --vault-id user#@getpass.py

안전하고 편하게 vault 멀티 패스워드를 사용하는 방법

# ansible.cfg

[defaults]
vault_identity_list = user1@pass1, user1@pass1

복호화

ansible-vault view var2.yml
ansible-playbook test.yml

암호화

ansible-vault create var3.yml --encrypt-vault-id user1
ansible-vault encrypt var3.yml --encrypt-vault-id user1