I have a bash script that runs multiple ansible-playbooks.
eg.before encryption
ansible-playbook check_patch_applied.yml --extra-vars="target=123 patch_number=232323" -v t
ansible-playbook apply_patch.yml --extra-vars="target=np026 patch_number=232323" -v
I have recently encrypted the vault. Instead of keeping the vault password on a file on the server (which I think is insecure), I would prefer to type it in and then use that throughout the bash script to run the playbooks.
I don't want to have to type in the password for each playbook. I just want to type it in once at the beginning of the script and then pass it to the ansible-playbook lines
I tried this
read -p "Please enter the Ansible Vault password ? : " vault_password
vault_password=${vault_password,,}
ansible-playbook check_patch_applied.yml --extra-vars="target=123 patch_number=232323" --vault-id < (echo ${vault_password})' but I get syntax errors. Any ideas please ? Thanks in advance
I also tried this:
ansible-playbook check_patch_applied.yml --extra-vars="target=$target patch_number=$i" --vault-id @prompt < (echo "${vault_password}")
./patch.sh: line 117: syntax error near unexpected token `('
./patch.sh: line 117: ` ansible-playbook check_patch_applied.yml --extra-vars="target=$target patch_number=$i" -v --vault-id @prompt < (echo "${vault_password}")'
I don't want to use --vault-password-file and I do not want to keep the vault password on the server.
Here is a possible solution adapted from an other answer. The trick is to use /bin/cat as the vault password file while providing the password from stdin:
read -p "Please enter the Ansible Vault password ? : " vault_password
echo ${vault_password} | ansible-playbook check_patch_applied.yml --extra-vars="target=123 patch_number=232323" --vault-password-file=/bin/cat
This will ask your password interactively while being able to reuse it in different ansible commands in the same script without storing it on disk.