반응형
Ansible Vault는 패스워드, 키와 같은 보안에 민감한 파일들을 암복호화해주는 기능으로 ansible이 설치되면 vault도 함께 설치가 된다.
Ansbile에서 사용하는 모든 구조화된 데이터 파일을 암호화 할수 있는 기능이다.
아래 예제는 테스트로 작성한 yaml 파일 암호화, 실행 복호화 방법에 대해서만 정리하였다.
1. ansible-vault help
[root@ansible-tower hk-manual]# ansible-vault -h
usage: ansible-vault [-h] [--version] [-v]
{create,decrypt,edit,view,encrypt,encrypt_string,rekey}
...
encryption/decryption utility for Ansible data files
positional arguments:
{create,decrypt,edit,view,encrypt,encrypt_string,rekey}
create Create new vault encrypted file
decrypt Decrypt vault encrypted file
edit Edit vault encrypted file
view View vault encrypted file
encrypt Encrypt YAML file
encrypt_string Encrypt a string
rekey Re-key a vault encrypted file
optional arguments:
--version show program's version number, config file location,
configured module search path, module location,
executable location and exit
-h, --help show this help message and exit
-v, --verbose verbose mode (-vvv for more, -vvvv to enable
connection debugging)
See 'ansible-vault <command> --help' for more information on a specific
command.
2. yaml 파일 내용 암호화 전 내용확인
[root@ansible-tower hk-manual]# cat 11.yml
- name: Manual Sample
hosts: all
tasks:
- name: Hello Message
debug:
msg: "Hello. vault Test."
3. ansible vault - 암호화
[root@ansible-tower hk-manual]# ansible-vault encrypt 11.yml
New Vault password:
Confirm New Vault password:
Encryption successful
[root@ansible-tower hk-manual]# cat 11.yml
$ANSIBLE_VAULT;1.1;AES256
66363232383931653164633361323531663435626466626163383637633261373162363330633861
3962613463376534326538353138653836386534393364320a333438363965613633356539333165
30656130636538626430346362323466663964643330386235643638313066643236393763663062
3663313234353839620a616234646365656161336330373234626337393739363432616138626237
39373937396434353066333063346137653166353964393566613366633833303730373166336230
32323334666631363633373437346264616635366166636539323833313130336561343834326262
38333163386332386634393339353938333662313761303461353830643438626264646130663032
37353361656664383337626533306538303164303530303465643562373265393336346664383335
65646534653365653232643963343230616435333230393964643134376437316462306339653064
6662636635333839643066353565333631393830323733613234
4. ansible-playbook 실행
[root@ansible-tower hk-manual]# ansible-playbook --ask-vault-pass 11.yml
Vault password:
PLAY [Manual Sample] ******************************************************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************************************
ok: [60.30.152.10]
TASK [Hello Message] ******************************************************************************************************************************
ok: [60.30.152.10] => {
"msg": "Hello. vault Test."
}
PLAY RECAP ****************************************************************************************************************************************
60.30.152.10 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=
5. ansible vault - 암호화된 내용을 보고자 할때
[root@ansible-tower hk-manual]# ansible-vault view 11.yml
Vault password:
- name: Manual Sample
hosts: all
tasks:
- name: Hello Message
debug:
msg: "Hello. vault Test."
6. ansible vault - 복호화
[root@ansible-tower hk-manual]# ansible-vault decrypt 11.yml
Vault password:
Decryption successful
[root@ansible-tower hk-manual]# cat 11.yml
- name: Manual Sample
hosts: all
tasks:
- name: Hello Message
debug:
msg: "Hello. vault Test."
728x90
'IaC (Automation) > Ansible-Playbook' 카테고리의 다른 글
| [playbook] node_exporter 설치 playbook (0) | 2021.10.08 |
|---|---|
| [playbook] Prometheus 설치 playbook (0) | 2021.10.08 |
| [Ansible] import vs include 차이점 (0) | 2021.07.29 |
| [Ansible] AWS and Openstack Modules (0) | 2021.07.28 |
| [Ansible] Roles 사용법 및 샘플 (0) | 2021.07.27 |
