vault_decrypt_string
Decrypt strings encrypted with Ansible Vault using specified vault ID and password file to securely access sensitive data within infrastructure operations.
Instructions
Decrypt a string encrypted with Ansible Vault
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| string | Yes | ||
| vault_id | No | ||
| vault_password_file | No |
Input Schema (JSON Schema)
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": false,
"properties": {
"string": {
"minLength": 1,
"type": "string"
},
"vault_id": {
"type": "string"
},
"vault_password_file": {
"type": "string"
}
},
"required": [
"string"
],
"type": "object"
}
Implementation Reference
- The core handler function that decrypts the string using ansible-vault by writing to a temp file, executing the command, and cleaning up.export async function decryptString(options: VaultDecryptStringOptions): Promise<string> { let tempDir: string | undefined; try { // Create a unique temporary directory tempDir = await createTempDirectory('ansible-vault-decrypt'); // Write the encrypted string to a temporary file const tempFilePath = await writeTempFile(tempDir, 'encrypted.txt', options.string); // Build the decrypt command arguments const args = ['decrypt', tempFilePath, '--output=-']; // Output to stdout // Add vault ID if specified if (options.vault_id) { args.splice(1, 0, `--vault-id=${options.vault_id}`); // Insert after 'decrypt' } // Add vault password file if specified if (options.vault_password_file) { args.splice(1, 0, `--vault-password-file=${options.vault_password_file}`); // Insert after 'decrypt' } const command = `ansible-vault ${args.join(' ')}`; console.error(`Executing: ${command}`); // Execute the command asynchronously const { stdout, stderr } = await execAsync(command); return stdout.trim(); } catch (error: any) { // Handle execution errors const errorMessage = error.stderr || error.message || 'Unknown error'; throw new AnsibleExecutionError(`Error decrypting string: ${errorMessage}`, error.stderr); } finally { // Ensure cleanup happens even if errors occur if (tempDir) { await cleanupTempDirectory(tempDir); } } }
- Zod schema defining input parameters for the vault_decrypt_string tool.export const VaultDecryptStringSchema = z.object({ string: z.string().min(1, 'Encrypted string is required'), vault_id: z.string().optional(), vault_password_file: z.string().optional(), }); export type VaultDecryptStringOptions = z.infer<typeof VaultDecryptStringSchema>;
- src/sysoperator/index.ts:85-89 (registration)Registration of the vault_decrypt_string tool in the toolDefinitions map, linking schema and handler.vault_decrypt_string: { description: 'Decrypt a string encrypted with Ansible Vault', schema: VaultDecryptStringSchema, handler: vault.decryptString, },