netapp.ontap supports cert_filepath and key_filepath as authentication method. However, if I encrypt them, how do I pass to playbook?
#How to pass ansible vault encrypted certificate to playbook?
brave meadow
quick pecan
I think there are 3 options in this case
- use an vault-encrypted string in your playbook
- use an extra variables file that is encrypted via ansible-vault
- encrypt the whole playbook via ansible-vault
I usually just use encrypted strings. It is explained pretty well in the official documentation. https://docs.ansible.com/ansible/latest/vault_guide/vault_encrypting_content.html
brave meadow
Thanks. however, netapp ansible doc shows:
cert_filepath string
path to SSL client cert file (.pem).
so, it's expecting path to certificate. You can not pass encrypted string to it, can you?
quick pecan
I guess you are correct. I must admit i never used cert auth with the ontap module. Sorry for the confusion. 🤦♂️
brave meadow
ha, no issue. I worked around it with temporarily decrypt certs to temp files, use them and then remove them.
meager nest
ha, no issue. I worked around it with temporarily decrypt certs to temp files, u...
I know it's been a minute since you resolved this for yourself (a year, hot damn), but would you mind providing an example of what you did? I'm staring down the same barrel right now 🙂
brave meadow
Have not visited discord for a bit while. It's relatively straightforward, put encrypted pem/key somewhere, and before running tasks, decrypt it to a temp file and supply to login.
- name: Decrypt the key
connection: local
ansible.builtin.shell: |
/usr/local/bin/ansible-vault decrypt "{{ encrypted_key }}" --output "{{ ansible_key }}"
tags: always
{{ ansible_key }} is a temp file. Same for pem.
Then set login:
- name: set the login
set_fact:
login: &login
hostname: "{{ hostname }}"
https: true
validate_certs: false
cert_filepath: "{{ ansible_pem }}"
key_filepath: "{{ ansible_key }}"
tags: always
After done, remove temp files.