search

tomoh1r / ansible-vault

This project aim to R/W an ansible-vault yaml file
GNU General Public License v3.0
54 stars 32 forks source link

Vault ID Support #30

Open nbonavia opened 5 years ago

nbonavia commented 5 years ago

I have been trying to decrypt ansible-vault enctrypted strings with python, but I could not find much documentation when it comes to using vault ids. I tried to create a vault with the latest version of ansible-vault 

ansible-vault 2.8.6
  config file = None
  configured module search path = ['/home/neville/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/neville/.pyenv/versions/3.7.4/lib/python3.7/site-packages/ansible
  executable location = /home/neville/.pyenv/versions/3.7.4/bin/ansible-vault
  python version = 3.7.4 (default, Sep  8 2019, 10:28:23) [GCC 8.3.0]

but I could not find examples of how to set up the Vault Id when you decode the ansible_vault part, and when I tried to use Vault("password"), I got an error that no secrets were found. Can someone provide some snippets that will help me decrypt the below string?

Note: I used 'password' for the vault password
ansible-vault encrypt_string --vault-id test_vault@prompt
New vault password (test_vault): 
Confirm new vault password (test_vault): 
Reading plaintext input from stdin. (ctrl-d to end input)
Hello World
!vault |
          $ANSIBLE_VAULT;1.2;AES256;test_vault
          65336466616237373839383838383633646266656235336665626633626337376334663564353637
          6237303233376162656461336537336335616565316535650a613731653162366239623739386234
          64663838393235303463363063363761343435343134333739616366376663316337313764346265
          3332356164373533610a636261366337643566326362663733393131623661383632373666316166
          3135
Encryption successful
life5ign commented 3 years ago

I've also been using ansible-vault (this package) in Python, with a vault password that has an id. I encrypt with just the password, i.e. vault = Vault('password') (I don't see the option to enter a vault id). When I try to decrypt later in a playbook, with the password, both with and without specifying the vault id, I get Decryption failed (no vault secrets were found that could decrypt)

With the -vvvv option, ansible-vault decrypt gives Error: HMAC verification failed: Signature did not match digest.