Vault 密碼檔

  1. 修改 users.yml 腳本為 users_vault.yml,密碼使用 vault 加密的 pwlist.yml 的密碼表,密碼變數為 devpw:
    [deyu1@kvm19 ansible]$ vim users_vault.yml 
    [deyu1@kvm19 ansible]$ cat users_vault.yml 
    ---
    - name: Create users with Valut
      hosts: dev
      vars_files: pwlist.yml 
      tasks:
      - name: Ensure group "sharegrp" exists
        group:
          name: sharegrp
          state: present
      - name: Add user 'james'
        user:
          name: james
          groups: sharegrp
          password: "{{ devpw | password_hash('sha512') }}"
    
  2. ansible-playbook 執行腳本 users_vault.yml,加選項 --ask-vault-pass 手動輸入密碼解密 pwlist.yml。
    [deyu1@kvm19 ansible]$ ansible-playbook users_vault.yml --ask-vault-pass
    Vault password: 
    
    PLAY [Create users with Valut] *************************************************
    
    TASK [Gathering Facts] *********************************************************
    ok: [kvm11]
    
    TASK [Ensure group "sharegrp" exists] ******************************************
    ok: [kvm11]
    
    TASK [Add user 'james'] ********************************************************
    changed: [kvm11]
    
    PLAY RECAP *********************************************************************
    kvm11 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
    
  3. ansible-playbook 執行腳本 users_vault.yml,加選項 --vault-password-file 指定金鑰檔解密 pwlist.yml。
    [deyu1@kvm19 ansible]$ ansible-playbook users_vault.yml --vault-password-file password.txt 
    
    PLAY [Create users with Valut] *************************************************
    
    TASK [Gathering Facts] *********************************************************
    ok: [kvm11]
    
    TASK [Ensure group "sharegrp" exists] ******************************************
    ok: [kvm11]
    
    TASK [Add user 'james'] ********************************************************
    changed: [kvm11]
    
    PLAY RECAP *********************************************************************
    kvm11 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
    
  4. 使用密碼 '123qwe',成功登入 james@kvm11。
    [deyu1@kvm19 ansible]$ ssh james@kvm11
    james@kvm11's password: 
    Last login: Tue Mar 17 08:25:36 2020 from 192.168.122.19
    
  5. 登出 james@kvm11。
    [james@kvm11 ~]$ exit
    logout
    Connection to kvm11 closed.