1. 编辑变量文件
vi allVaultedVarFile.yml
abc: xxx
efg: 9;lkjp
paw: j!meter
2. 加密整个变量文件
ansible-vault encrypt allVaultedVarFile.yml
//输入密码用于加密,e.g. test1234
加密后如果要查看文件的内容,需要用 view
ansible-vault view allVaultedVarFile.yml
如果需要修改则需要用 edit
ansible-vault edit allVaultedVarFile.yml
3. 直接加密某个值(字符串,比如不希望明文显示的密码字符串)
ansible-vault encrypt_string “vaultedValue”
//输入密码用于加密,e.g. test1234
生成加密信息如下:
!vault |
$ANSIBLE_VAULT;1.1;AES256
65336434666133656337373237613436633866336264343538643737613533326431313061323139
3639316366376532323963396338393263303735383839330a663535393132616337646137356538
36353939613265613934643236663630306563643262616264383233633266356535646235366136
6632303732666431640a353239366230616463356565613235313036643333636164643332383338
6535
4. 将第三步生成的加密信息直接黏贴到对应的变量名后面
cat somevaultvar.yml (注意这个文件本身是没有被加密的)
vaultvar: !vault | # 注意冒号后面要有空格!!
$ANSIBLE_VAULT;1.1;AES256
65336434666133656337373237613436633866336264343538643737613533326431313061323139
3639316366376532323963396338393263303735383839330a663535393132616337646137356538
36353939613265613934643236663630306563643262616264383233633266356535646235366136
6632303732666431640a353239366230616463356565613235313036643333636164643332383338
6535
nonvault: nonvaulted_value
5. 在playbook中引用了加密文件中的变量,或变量文件中的加密变量
cat readVault.yml
- hosts: localhost
gather_facts: no
vars_files:- test.yml
- somevaultvar.yml
tasks: - name: use debug to view the vault values
debug:
msg: “{{ vaultvar }} : {{ nonvault }}: {{ abc }}”
6. 运行playbook的时候加入–ask-vault-pass (或 --ask-v)参数
ansible-playbook readVault.yml --ask-v
//这时候需要输入解密密码 test1234