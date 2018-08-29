Join GitHub today
JSON option for ansible-vault encrypt_string #44829
Comments
jhg03a
commented
Aug 22, 2019
|
In case someone else stumbles across this, the above JSON output doesn't work in Ansible 2.8. It doesn't include the newline characters which are required. https://gist.github.com/sivel/6991a5abcfc41bb2872d5898213575eb. Generally JSON vault support needs better documentation.
sivel
commented
Aug 22, 2019
|
This hasn't been fully thought out, and I'm sure there is need for improvement, but this change would allow this behavior:
diff --git a/lib/ansible/cli/vault.py b/lib/ansible/cli/vault.py
index 1b4b69db90..0e37e86ba9 100644
--- a/lib/ansible/cli/vault.py
+++ b/lib/ansible/cli/vault.py
@@ -5,6 +5,7 @@
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
+import json
import os
import sys
@@ -14,6 +15,7 @@ from ansible.cli import CLI
from ansible.cli.arguments import option_helpers as opt_help
from ansible.errors import AnsibleOptionsError
from ansible.module_utils._text import to_text, to_bytes
+from ansible.parsing.ajson import AnsibleJSONEncoder
from ansible.parsing.dataloader import DataLoader
from ansible.parsing.vault import VaultEditor, VaultLib, match_encrypt_secret
from ansible.utils.display import Display
@@ -105,6 +107,8 @@ class VaultCLI(CLI):
enc_str_parser.add_argument('--stdin-name', dest='encrypt_string_stdin_name',
default=None,
help="Specify the variable name for stdin")
+ enc_str_parser.add_argument('--json', dest='json', action='store_true',
+ help="Output in JSON format instead of the default YAML")
rekey_parser = subparsers.add_parser('rekey', help='Re-key a vault encrypted file', parents=[common, vault_id])
rekey_parser.set_defaults(func=self.execute_rekey)
@@ -358,7 +362,7 @@ class VaultCLI(CLI):
# TODO: specify vault_id per string?
# Format the encrypted strings and any corresponding stderr output
- outputs = self._format_output_vault_strings(b_plaintext_list, vault_id=self.encrypt_vault_id)
+ outputs = self._format_output_vault_strings(b_plaintext_list, vault_id=self.encrypt_vault_id, _json=context.CLIARGS['json'])
for output in outputs:
err = output.get('err', None)
@@ -372,7 +376,7 @@ class VaultCLI(CLI):
# TODO: offer block or string ala eyaml
- def _format_output_vault_strings(self, b_plaintext_list, vault_id=None):
+ def _format_output_vault_strings(self, b_plaintext_list, vault_id=None, _json=True):
# If we are only showing one item in the output, we don't need to included commented
# delimiters in the text
show_delimiter = False
@@ -393,7 +397,20 @@ class VaultCLI(CLI):
vault_id=vault_id)
# block formatting
- yaml_text = self.format_ciphertext_yaml(b_ciphertext, name=name)
+ if _json:
+ out = json.dumps(
+ {
+ name: {
+ '__ansible_vault': (
+ to_text(b_ciphertext, errors='surrogate_or_strict')
+ )
+ }
+ },
+ indent=4,
+ cls=AnsibleJSONEncoder
+ )
+ else:
+ out = self.format_ciphertext_yaml(b_ciphertext, name=name)
err_msg = None
if show_delimiter:
@@ -402,7 +419,7 @@ class VaultCLI(CLI):
err_msg = '# The encrypted version of variable ("%s", the string #%d from %s).\n' % (name, human_index, src)
else:
err_msg = '# The encrypted version of the string #%d from %s.)\n' % (human_index, src)
- output.append({'out': yaml_text, 'err': err_msg})
+ output.append({'out': out, 'err': err_msg})
return output
jhg03a
commented
Aug 23, 2019
|
I don't think it's just making ansible-vault be able to output it (still a nice thing though); it's also a general documentation update too that this is a supported thing and not just a strange accident.
AlanCoding
commented
Aug 23, 2019
|
I wouldn't call the implementation in
a strange accident. Since it's only outputting a single value, this is a perfectly good way to do it. This means of representing Ansible internal types in JSON has been rolled out in several other places, and has been relatively effective in the use cases it supports.
jhg03a
commented
Aug 27, 2019
|
I wouldn't say the implementation is an accident, but rather that json support for ansible-vault encrypted strings in general is something that should be generally supported since it's not present in the variables documentation.
AlanCoding commented
Aug 29, 2018
SUMMARY
An additional step is necessary to produce encrypted variables in either JSON or universally-readable YAML. This could be eliminated with a
--jsonoption to
ansible-vault encrypt_stringCLI.
ISSUE TYPE
COMPONENT NAME
ansible-vault encrypt_string
ANSIBLE VERSION
CONFIGURATION
Defaults
OS / ENVIRONMENT
Mac OS, local actions
STEPS TO REPRODUCE
The objective is to produce hostvars with encrypted variables. This can be done today, but if it is to go through a 3rd party system, manual manipulation is needed.
For more details on this manual manipulation, see steps in:
ansible/awx#223 (comment)
ansible-vault encrypt_string "my secr3tz" --name=secret_var_name --vault-id=alan@prompt
EXPECTED RESULTS
should yield
ACTUAL RESULTS
This is a feature request, there is no
--jsonoption.
Note:
ansible-inventorygives JSON by default and accepts a
--yamlflag. This would still be a little bit of a pattern break, but the intent here is to satisfy users who will run the
ansible-vaultcommand manually, so as long as the option is there that will be fine.