Python 3: Encrypting Ansible Vault programmatically
30 Jun 2020ansible
is the only module needed for this script. If you don’t need to specify vault_id
, below code would work.
from ansible.parsing.vault import VaultEditor, VaultSecret
vault_password = 'vault_password123'
secret_value = 'super_secret_123'
vault_id = None
encrypted_secret = VaultEditor().encrypt_bytes(secret_value,
VaultSecret(bytes(vault_password, 'utf-8')),
vault_id=vault_id).decode("utf-8")
encrypted_text = 'secret_token: !vault |\n ' + encrypted_secret.replace('\n', '\n ')
print(encrypted_text)
Omits:
secret_token: !vault |
$ANSIBLE_VAULT;1.1;AES256
66353534363061653436373834373430646336326336393732303863336561303061666366323539
6362616464613735373537633931626639616137366139630a623238353331376632653039643333
34356564343365383465363939613266646636653065656432313533386532306532663861353336
6531383463386364320a396564653362303463663630636431316561333633616465363838303166
30346237613037316239633366363864323433653838663363386264636637396462
If you specify vault_id='test-vault1'
, it will be added to the text as well.
secret_token: !vault |
$ANSIBLE_VAULT;1.2;AES256;test-vault1
31623361633964316532383939313530333630316466386138353836653732663531333361613634
3566356366663832393166376361336263333734663234320a386165393633633233366639396636
36343666346365623133633264633537316262343239383265323738636633646534636564343830
3039623764666134620a323231363465346238623163386534353536313235353563333533633363
30313166366364336338383935393037643363653434393864633835393839303333
Tags
- python
- ansible