Using Grep on Ansible Vault Files

Feb 26, 2017 20:23 · 248 words · 2 minutes read snippet ansible

When you’re working through an ansible playbook, it’s entirely likely that you’re going to spend a lot of time searching through the repository to see where the variables have been set. Normally, this is pretty easy. Fire up grep and you find exactly what you’re looking for.

However, what if the variable is something sensitive, like a password or an API key? If they’re in your repository, then they should have been encrypted properly. If you can easily grep for passwords in your repository then you have another, much bigger, problem.

If you’re diligent, then you can make sure that you’ve placed your secrets in a known location. That will reduce your searching considerably. Variables are set up in a group_vars file and the sensitive values are placed into vault_staging.yml or the like. Just like they tell you to do in the instructions.

Human nature being what it is, people forget to do things the right way. Hey - at least the file has been encrypted.

I’m not sure where I originally found this snippet, but it’s come in handy more than once. This should get you the info you need:

#!/bin/bash

# Search recursively through the current directory for encrypted values
#   - assumes your vault password is in a file vpass

grep -ril ANSIBLE_VAULT group_vars/ | while read N 
do 
  echo -n $N: 
  ansible-vault --vault-pass vpass view $N | grep $1
done

Now, go and refactor your vars so you don’t need to do this again.