It's great to see you checking out other topics! I hope you have made it through all four of the labs.
You will have seen our playbooks point to an Ansible Vault file. This is the code that is used in the playbooks.
vars_files:
- ~/clus2023-devwks-2008/vaults/ciscolive.vault
What does this do?
What does this mean?
vars_files tells the ansible playbook that it should look to the files listed for variables. The variables can be encrypted or they can be in the clear. Ansible doesnt care.
- Assure No Cleartext Passwords Exist
- View the Playbook
- Assure the Ansible Vault File Exists
- View the Encrypted File
- View the Encrypted File's Contents in Cleartext
In this step we will check the inventory files to assure that they do not contain the IOS XE Username and password in the clear. We will check all 3 inventory files.
cat inventories/cat9300-a.yaml
cat inventories/cat9300-b.yaml
cat inventories/devnet-switches.yaml
Now we know the Username and Password doesnt exist in the clear. Next we will cat the playbook and find the vars_files line that points to the Ansible Vault file that contains the encrypted Username and Password.
cat playbooks/01b-config-hard-https.yaml
Lets just verify there is a file with the correct name.
ls -l vaults/ciscolive.vault
Please note the top line. This header shows us this is an Ansible Vault file. It is using Ansible Vault encryption version 1.1. It shows the file is encrypted using AES256. Finally it shows the encrypted variables.
cat vaults/ciscolive.vault
In this step we will decrypt the contents on the fly for viewing. Be aware, if you log the contents of your SSH session you will log the clear text password!!!
The Vault password is abcd9876
ansible-vault view vaults/ciscolive.vault