archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Remove misleading statement passwords must be same (#49798)

Browse Source 
* Remove misleading statement passwords must be same

Since 2.4 Ansible has supported multiple vault passwords:
<https://docs.ansible.com/ansible/latest/user_guide/vault.html#multiple-vault-passwords>

Meaning lines like the following are misleading:

> The password used with vault currently must be the same for all files you wish
> to use together at the same time.

-- `docs/docsite/rst/user_guide/vault.rst`

To demonstrate this with Ansible 2.7, save the following as `example.yaml`:

```
- name: Display output from two vaults with different passwords
  hosts: localhost
  connection: local
  vars_files: [one.yaml, two.yaml]
  tasks:
    - name: View secret from one.yaml vault
      debug: { var: one }
    - name: View secret from two.yaml vault
      debug: { var: two }
```

Then run the three following commands choosing two different passwords:

```
$ echo 'one: 1' | ansible-vault encrypt --vault-id id1@prompt --output=one.yaml
$ echo 'two: 2' | ansible-vault encrypt --vault-id id2@prompt --output=two.yaml
$ ansible-playbook --vault-id id1@prompt --vault-id id2@prompt example.yaml
```

`ansible-vault` stores an ID in plain text in the vault file.

* Remove note about default in Ansible 2.1

As requested by gundalow in https://github.com/ansible/ansible/pull/49798
pull/47215/head
Keith Maxwell 5 years ago committed by Sandra McCann
parent 2e1dd27703
commit 7fbacf920d
2 changed files with 1 additions and 5 deletions
Show Stats Download Patch File Download Diff File

4
docs/docsite/rst/user_guide/vault.rst
Unescape Escape View File

@ -38,9 +38,7 @@ To create a new encrypted data file, run the following command:
ansible-vault create foo.yml
First you will be prompted for a password. The password used with vault currently must be the same for all files you wish to use together at the same time.
After providing a password, the tool will launch whatever editor you have defined with $EDITOR, and defaults to vi (before 2.1 the default was vim). Once you are done with the editor session, the file will be saved as encrypted data.
First you will be prompted for a password. After providing a password, the tool will launch whatever editor you have defined with $EDITOR, and defaults to vi. Once you are done with the editor session, the file will be saved as encrypted data.
The default cipher is AES (which is shared-secret based).

2
lib/ansible/cli/vault.py
Unescape Escape View File

@ -30,8 +30,6 @@ class VaultCLI(CLI):
Because Ansible tasks, handlers, and other objects are data, these can also be encrypted with vault.
If you'd like to not expose what variables you are using, you can keep an individual task file entirely encrypted.
The password used with vault currently must be the same for all files you wish to use together at the same time.
'''
VALID_ACTIONS = frozenset(("create", "decrypt", "edit", "encrypt", "encrypt_string", "rekey", "view"))

Write Preview
Loading…
Cancel
Save