Passbolt anatomicjc ansible plugin

Installation Issues
1

Hello everyone,

I have a working passbolt installation.
I have a dedicated ansible user.

I would like to setup the anatomicjc’s passbolt ansible plugin.
To do that, I follow this post : Managing Secrets in Ansible using passbolt
This is my playbook environment vars :

environment:
PASSBOLT_BASE_URL: “https://password.domain.tld
PASSBOLT_GPG_LIBRARY: “gnupg”
PASSBOLT_FINGERPRINT: “FD50FFC14A35BEB8FBDC6AF8271DBFE16D4FEDE7”

I add the ansible user private key in my ansible server using gpg.
This is the result of the gpg --list-keys command :

pub rsa3072 2023-04-06 [SC]
FD50FFC14A35BEB8FBDC6AF8271DBFE16D4FEDE7
uid [ inconnue] Ansible Ansible <ansible@rouxel.fr>
sub rsa3072 2023-04-06 [E]

And when I start my playbook, I have the following error, don’t know why :

{‘header’: {‘id’: ‘8f6555ac-2374-463b-a649-1cedf27bea3d’, ‘status’: ‘error’, ‘servertime’: 1680789325, ‘action’: ‘881ab948-e40f-5a72-91aa-54b442270029’, ‘message’: ‘Authentication is required to continue’, ‘url’: ‘/users/me.json’, ‘code’: 401}, ‘body’: ‘’}

Does anybody already do this and can help me ?
Thanks :slight_smile:

1 Like
2

Hi @Noreu :wave: and welcome to passbolt community forum :handshake:

By using the gnupg library, the ansible plugin assume you have a GPG agent running who will fill your passphrase for you.

I will try to give you an example, I am on Ubuntu.

I list my public keys:

$ gpg --list-keys
/home/jc/.gnupg/pubring.kbx
---------------------------
pub   rsa4096 2021-08-13 [SC]
      667E3D4070E5B5F8BD64850C764D886B9F30CE31
uid           [ unknown] Jean-Christophe Vassort <anatomicjc@open-web.fr>
sub   rsa4096 2021-08-13 [E]

Ok, so I will encrypt a file with my public key:

gpg --encrypt -r anatomicjc@open-web.fr file.txt
gpg: 8AAB51E5C89DA2F2: There is no assurance this key belongs to the named user

sub  rsa4096/8AAB51E5C89DA2F2 2021-08-13 Jean-Christophe Vassort <anatomicjc@open-web.fr>
 Primary key fingerprint: 667E 3D40 70E5 B5F8 BD64  850C 764D 886B 9F30 CE31
      Subkey fingerprint: 8B72 CE4C 125E 2564 6504  CBFC 8AAB 51E5 C89D A2F2

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y

Ok, I now have a file.txt.gpg file I can share with myself :smiley:

I check I imported my secret key:

$ gpg --list-secret-keys
/home/jc/.gnupg/pubring.kbx
---------------------------
sec   rsa4096 2021-08-13 [SC]
      667E3D4070E5B5F8BD64850C764D886B9F30CE31
uid           [ unknown] Jean-Christophe Vassort <anatomicjc@open-web.fr>
ssb   rsa4096 2021-08-13 [E]

It is ok, so I can decrypt the file like this:

$ gpg --decrypt file.txt.gpg

At this moment, my Ubuntu prompt me a box and ask to fill my passphrase. After that, the file is decrypted and my passphrase is stored in the gpg agent.

If I run the command again, the system don’t ask me my passphrase anymore, as it is stored in the gpg agent.

You have to set your gpg agent before launching your playbook, to let it handle your passphrase.

On which operating system are you running ansible?

Best,

1 Like
3

Ok nice it’s work now.

I’m on Debian 11.

I suppose this trick need to be performed after each reboot right ?
Do you have a way to automate it ?

Thanks,

1 Like
4

It should be a good thing if passphrase was prompted when ansible-playbook is run.
For now, I don’t know how to do that, I will think about it and let you know. If you find a trick on your side, don’t hesitate :smiley: