Easily view Ansible-vault secrets with yq

As you probably know, ansible-vault is a good way to keep your secrets...secret.

There's at least two ways to handle vault secrets in your ansible roles: - Put them in a separate file, such as 'secrets.yml'. This makes it easy to encrypt/decrypt as needed, but hides the keys as well as the values. - Encrypt the secrets in-line, which reveals the keys, but makes it a bit of a pain to decrypt the individual secrets.

For this site, we've chosen the latter approach. So how best to decrypt individual secrets? Let's try yq!

OK, but what's "yq"?

In the words of its developer, yq is "a lightweight and portable command-line YAML processor." As you may have guessed by the name, it is inspired by jq.

Por Ejemplo

Given the defaults file as below:

cat grafana/defaults/main.yml

grafana_admin_pass: !vault |
                            $ANSIBLE_VAULT;1.2;AES256;mir
                            34643432656563306237616661336566646362316632636561326532303662303635323336336461
                            3639663532313635373161316132656434393763373964390a343462326466336138663734393630
                            65633633353032613632313730656463383237616230393532656230316161623333633234666364
                            6435366464306161300a656261323733326432396638623264333633366339353362316532633836
                            64393737303039326530373431623433326161316564646631393439663639383734643934666536
                            6337646663393136383237306461376535316663373965666539

You can easily decrypt the secret using the following command: cat grafana/defaults/main.yml | yq -r ".grafana_admin_pass" | ansible-vault decrypt

Which returns:

Decryption successful
6C0F6611-62D7-43E6-B0DD-1E174A3329E7

As Stan the Man might say...Excelsior!