DEV Community

Mikhail Salosin
Mikhail Salosin

Posted on

Easy migration to Ansible Vault id

To keep all our tokens secure we use the Ansible vault to encrypt them. Historically all files with secrets were encrypted with a single password instead of using a vault id and password file. This week we decided to migrate to vault id.

All files encrypted with a password and without vault id specified will have the header $ANSIBLE_VAULT;1.1;AES256. We can use grep to find all files with this header. To do that run

grep "\$ANSIBLE_VAULT;1.1;AES256" group_vars/**/*.yml
Enter fullscreen mode Exit fullscreen mode

Now we have a list of files that looks like that:

Enter fullscreen mode Exit fullscreen mode

Grep adds matched string at the end of every file. We can use the cut command to remove this part since we only need file names. cut -d: -f1 will leave only the file name.

And finally, we can use xargs to pass the file list to the ansible-vault rekey command to convert all encrypted files to encrypted files with vault id.

The full command will look like this:

grep "\$ANSIBLE_VAULT;1.1;AES256" group_vars/**/*.yml | cut -d: -f1 | xargs ansible-vault rekey --new-vault-id vaultID@vaultfile
Enter fullscreen mode Exit fullscreen mode

Top comments (0)