Category Archives: Ansible

Passing Vault Passwords to Ansible Playbooks in Jenkins Pipelines using Named Pipes

The Problem

Passing vault passwords to ansible in jenkins involves one of:

  • Ansible prompting for the vault password (since 2.4 only via a tty, so no piping – although that may risk exposure of the password in the process list).
  • Pointing Ansible at a file containing the plaintext vault password – with the risk of someone finding it.
  • Pointing Ansible at a script that can (somehow) provide the vault password (from somewhere)

Another option I’ve been playing with is passing the vault password via a named pipe, where once Ansible has read the password from the pipe, it is gone – one-shot.  See below.

Named Pipes

Named Pipes aka Fifo pipes

As soon as ansible consumes the entry in the pipe, it is lost, minimising exposure of the password.

Combine with random temporary file names.

In a Jenkins Pipeline could this be simplified with a Groovy script to set this up?

Alternatively could groovy instead create a one-shot script to return the vault password if the ansible calling it can provide a shared secret to access it (e.g. environment variable passed to ansible – though this again could be visible in the process table)?

Either of the above two approaches could limit the exposure of the vault password…

Has anybody found a genuinely secure way to pass vault passwords to Ansible Playbooks in a Jenkins Pipeline?

Update:

My final solution:

 

Ansible RESTful Dynamic Inventory with Node.js

Most examples of Ansible Dynamic Inventory are coded in Python or Bash, but if you want to access a RESTful API to get your inventory, e.g. from OpenStack Nova Compute API, then the language of the web – aka Javascript – could be a better approach.

So, lets first have a look at a simple example in Javascript of how the inventory data is constructed:

If we run this script we get the following results:

Running this from Ansible gives us:

So, lets take the next step and write an inventory script to pull fixed or floating IP addresses from the OpenStack Nova Compute RESTful API.  Here’s my script to demo this:

This script first authenticates the user for the tenant, then calls the Nova RESTful API with the authentication token, getting a list of servers and their details.  The inventory is then generated from either the fixed or floating IP addresses.

Run this script to see the JSON it generates:

Which, from my OpenStack, generates:

We can now run this from Ansible using:

Success!

So, in summary, Javascript and Node.js (or io.js) are suitable candidates for Ansible Dynamic Inventory scripting, especially when you want to get data from a RESTful API.