Ansible vault is a feature of ansible that allows keeping sensitive data such as secrets, passwords or keys in encrypted files, rather than as plaintext in your ansible playbooks or ansible roles. This provides the ability to secure any sensitive data that is necessary to successfully run Ansible plays but should not be publicly visible, like passwords or private keys. Ansible automatically decrypts vault-encrypted content at runtime when the key is provided.
To enable this feature, a command line tool,
ansible-vault is used to edit files, and a command line flag
–vault-password-file is used. In this guide, we will discuss the procedure/steps to manage secrets(passwords/keys/certs files) of configuration/deployments by automating with ansible vault.
ansible-vault in Playbooks
1. Create a file called password.yml
[ansible@localhost ~]$ vim secrets.yml
2. Add the entries (ssh keys/password variables)in the secrets.yml file.
3. To encrypt existing password/secrets file.
[ansible@localhost ~]$ ansible-vault encrypt secrets.yml
It will ask prompt for password first time
output: New vault password: Confirm New Vault Password:
4. To create a file with vault encrypted.
[ansible@localhost ~]$ ansible-vault create secrets.yml
5. To edit vault encrypted file — to change sensitive information.
[ansible@localhost ~]$ ansible-vault edit secrets.yml
The entries inside the file will be encrypted as ANSCII format as shown in the below output.
[ansible@localhost ~]$ cat secrets.yml $ANSIBLE_VAULT;1.1;AES256 32383031633663643336336330613739323163616264653132636238613130363435353339376462 3432643665306534303963323432353262356334333135630a326231613964623738303431636363 64386135363735653864663236616532303462336134353665383733333662366265336361313565 3130396238616161660a356366303936346639313562626432616265373932386662636330323535 38633735376539663162336465656362343832376266303232376336666335663732
Running a Playbook With
To run a playbook that contains vault-encrypted data files, you must pass one of two flags.
1. To specify the vault-password interactively:
[ansible@localhost ~]$ ansible-playbook site.yml --ask-vault-pass
It will ask prompt for password that configured at the time of encrypt secrets/passwords.
2. To specify the vault-password with a file or a script:
When using this flag, ensure permissions on the file are such that no one else can access your key and do not add your key to source control.
[ansible@localhost ~]$ ansible-playbook site.yml --vault-password-file ~/.vault_pass_file [ansible@localhost ~]$ ansible-playbook site.yml --vault-password-file ~/.vault_pass_file.py
For more information, you can visit ansible documentation of ansible-vault.
ansible-vault Example Usage
ansible-vault example on our GitHub.