Ansible Vault: Hướng dẫn bảo mật Secrets và quản lý mật khẩu trong Automation - Part 2
5:00 read
6. Document Vault Password Location
# README.md
## Vault Passwords
- **Development**: Stored in 1Password vault "Ansible Dev"
- **Staging**: Stored in AWS Secrets Manager `ansible/staging`
- **Production**: Stored in HashiCorp Vault `secret/ansible/prod`
Contact: devops@example.com for access
7. Use Vault IDs Cho Nhiều Environments
# Development
ansible-playbook site.yml --vault-id dev@prompt
# Production
ansible-playbook site.yml --vault-id prod@~/.vault_passwords/prod.txt
Troubleshooting
Lỗi 1: Decryption Failed
ERROR! Decryption failed (no vault secrets were found that could decrypt)
Nguyên nhân: Sai vault password
Giải pháp:
# Verify password
ansible-vault view vars/secrets.yml
# Nếu quên password, không thể recover!
# Phải tạo file mới
Lỗi 2: File Không Được Mã Hóa
ERROR! vars/secrets.yml is not encrypted
Giải pháp:
ansible-vault encrypt vars/secrets.yml
Lỗi 3: Multiple Vault IDs Not Found
ERROR! Attempted to get a vault password by ID (prod) but no vault password was found for that ID
Giải pháp:
# Ensure vault ID exists
ansible-playbook site.yml \
--vault-id dev@~/.vault_passwords/dev.txt \
--vault-id prod@~/.vault_passwords/prod.txt
Integration Với CI/CD
GitLab CI
# .gitlab-ci.yml
deploy:
stage: deploy
script:
- echo "$VAULT_PASSWORD" > .vault_pass
- chmod 600 .vault_pass
- ansible-playbook deploy.yml --vault-password-file .vault_pass
after_script:
- rm -f .vault_pass # Cleanup
only:
- main
GitLab CI/CD Variables:
VAULT_PASSWORD= your vault password (masked)
GitHub Actions
# .github/workflows/deploy.yml
name: Deploy
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Ansible
run: pip install ansible
- name: Create vault password file
run: echo "${{ secrets.VAULT_PASSWORD }}" > .vault_pass
- name: Run playbook
run: ansible-playbook deploy.yml --vault-password-file .vault_pass
- name: Cleanup
if: always()
run: rm -f .vault_pass
GitHub Secrets:
VAULT_PASSWORD= your vault password
Jenkins
// Jenkinsfile
pipeline {
agent any
environment {
VAULT_PASS = credentials('ansible-vault-password')
}
stages {
stage('Deploy') {
steps {
sh '''
echo "$VAULT_PASS" > .vault_pass
chmod 600 .vault_pass
ansible-playbook deploy.yml --vault-password-file .vault_pass
rm -f .vault_pass
'''
}
}
}
}
Yêu cầu đăng nhập
Vui lòng đăng nhập để truy cập nội dung này
Additional Resources
Course Guide
Comprehensive PDF guide with examples
GitHub Repository
Example code for all lessons
Discussion
Have a question about this lesson? Post it here and get answers from instructors and peers.