changing vault passwords
Project description
General
Project for automatic changing ansible vault passwords in yaml files with ansible vault strings. Use vach script wchich will be automatic installed by:
pip install vach
vach requieres some python packages:
- ansible-vault
- yaml
- argcomplete
vach don't overwrite files with vaults on default. only with -n option files with vault strings will be modified. vach uses python logging to write messages to stdout
Usage
vach [-h] [-i VID] [-g [LENGTH]] [-n] [--no-sum-file] [--tb] [-m REGEX] [-d REGEX] [-f REGEX] [-V] [PATH ...]
positional arguments:
- search in PATH for ansible vault strings and change vault passsword.
- Default: ..
- python
os.walkused for recursively file search in direct
options:
-h, --help show this help message and exit
-i VID, --vault-id VID
vault ids which password should be changed (default:
['vid'])
-g [LENGTH], --gen-passwd [LENGTH]
generate passwords for new vault ids. if no LENGTH is
provided use default length (default: None)
default password length: 20
-n, --no-dry no dry mode. files will be really written (default:
False)
--no-sum-file don't write summary json file in $HOME (default:
False)
--tb show traceback on exceptions (default: False)
-m REGEX, --match-file REGEX
handle only files that match REGEX (default: .+)
REGEX is case sensitive
-d REGEX, --ignore-dir REGEX
ignore directories that match REGEX (default:
/?\.git/?)
REGEX is case sensitive
-f REGEX, --ignore-files REGEX
ignore files that match REGEX (default: None)
REGEX is case sensitive
-V, --version show program's version number and exit
Usage examples
- show only changes in test_dir directory recursively and in files file_1, file_2. use vid_1 vault-id
vach -i vid_1 test_dir file_1 file_2
- overwrite files with vaults (no-dry mode)
vach -i vid_1 test_dir file_1 file_2 --no-dry
- handle only filenames that match some regex
vach -i vid_1 test_dir file_1 file_2 -m "\.ya?ml"
- ignore directories that match some regex
vach -i vid_1 test_dir file_1 file_2 -d "dist|build"
- ignore filenames that match some regex
vach -i vid_1 test_dir file_1 file_2 -f "\.json$"
Default values/Konfiguration
Konfig files in ini format can be used to set some default values for vach script. Konfig files can be placed in:
- ./vach.cfg
- $HOME/vach.cfg
- $HOME/.vach/vach.cfg
vach.cfg example:
[main]
passwd_length = 23
wpath = ~/vach_dir,/opt/test_dir,file_1
vault_id = vid1,vid2
match_file_regex=my?.regex
ignore_dir_regex=some_dir_regex
ignore_file_regex=ign_file_rg[Xx]
main section in vach.cfg is required
summary file
vach writes on default json summary file in the same directory. Example for a summary file (vach_summary_20250424213256.json):
{
"general": {
"all": 36,
"success": 3,
"vault": 2,
"written": 0,
"ignored": 30,
"len_bad_srcs": 0,
"bad_srcs": [],
"error": 3
},
"files": [
{
"path": "/home/firusik/vach_dir/myobject.yaml",
"succeeded": true,
"written": false,
"ignored": false,
"errors": [],
"vault_vars": []
},
{
"path": "/home/firusik/vach_dir/vach_test_file_2.yml",
"succeeded": true,
"written": false,
"ignored": false,
"errors": [],
"vault_vars": [
":oxak[1]:p",
":she:lost:control[2]",
":she:lost:begun",
":passwd"
]
},
{
"path": "/home/firusik/vach_dir/vach_error_file.yml",
"succeeded": false,
"written": false,
"ignored": false,
"errors": [
"('VaultError', VaultError('decryption of vault failed. exceptions derived from ansible: {Decryption failed (no vault secrets were found that could decrypt)}'))"
],
"vault_vars": []
},
{
"path": "/home/firusik/vach_dir/.git/description",
"succeeded": false,
"written": false,
"ignored": true,
"errors": [],
"vault_vars": []
},
...
]
}
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vach-0.22.0.tar.gz.
File metadata
- Download URL: vach-0.22.0.tar.gz
- Upload date:
- Size: 13.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
025bccb7336a9be45c06290a7d9a0afe33f0b035aee545935f9f09ee90fc3ace
|
|
| MD5 |
59c978123db70df44e4447720c217097
|
|
| BLAKE2b-256 |
76102c172461b2195daa68f227f94cff2b9f51cb7dcb524f4c1b28fae526ea59
|
File details
Details for the file vach-0.22.0-py3-none-any.whl.
File metadata
- Download URL: vach-0.22.0-py3-none-any.whl
- Upload date:
- Size: 13.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d8025a1abc9387585b4809a7e4e54ef5c2c3e9a926071a5cbacb922e2961a114
|
|
| MD5 |
72bf404944aea6e076cd9d7ae99829e6
|
|
| BLAKE2b-256 |
9f5d89120ad54825f020ec4ebc9ece3ed9ead3b8736b8977036fb13342456bc4
|
