Easily view Ansible-vault secrets with yq⌗

As you probably know, ansible-vault is a good way to keep your secrets…secret.

There’s at least two ways to handle vault secrets in your ansible roles:

• Put them in a separate file, such as ‘secrets.yml’. This makes it easy to encrypt/decrypt as needed, but hides the keys as well as the values.
• Encrypt the secrets in-line, which reveals the keys, but makes it a bit of a pain to decrypt the individual secrets.

For this site, we’ve chosen the latter approach. So how best to decrypt individual secrets? Let’s try yq!

OK, but what’s “yq”?⌗

In the words of its developer, yq is “a lightweight and portable command-line YAML processor.” As you may have guessed by the name, it is inspired by jq.

Por Ejemplo⌗

Given the defaults file as below:

cat grafana/defaults/main.yml

grafana_admin_pass: !vault |
                            $ANSIBLE_VAULT;1.2;AES256;mir
                            34643432656563306237616661336566646362316632636561326532303662303635323336336461
                            3639663532313635373161316132656434393763373964390a343462326466336138663734393630
                            65633633353032613632313730656463383237616230393532656230316161623333633234666364
                            6435366464306161300a656261323733326432396638623264333633366339353362316532633836
                            64393737303039326530373431623433326161316564646631393439663639383734643934666536
                            6337646663393136383237306461376535316663373965666539

You can easily decrypt the secret using the following command: cat grafana/defaults/main.yml | yq -r ".grafana_admin_pass" | ansible-vault decrypt

Which returns:

Decryption successful
6C0F6611-62D7-43E6-B0DD-1E174A3329E7

As Stan the Man might say…Excelsior!