Manage secrets/passwords with Ansible Vault (ansible-vault)

  • 1
    Share

Introduction

Ansible vault is a feature of ansible that allows keeping sensitive data such as secrets, passwords or keys in encrypted files, rather than as plaintext in your ansible playbooks or ansible roles. This provides the ability to secure any sensitive data that is necessary to successfully run Ansible plays but should not be publicly visible, like passwords or private keys. Ansible automatically decrypts vault-encrypted content at runtime when the key is provided.

To enable this feature, a command line tool, ansible-vault is used to edit files, and a command line flag –ask-vault-pass or –vault-password-file is used. In this guide, we will discuss the procedure/steps to manage secrets(passwords/keys/certs files) of configuration/deployments by automating with ansible vault.

 

Using ansible-vault in Playbooks

1. Create a file called password.yml

[ansible@localhost ~]$ vim secrets.yml

2. Add the entries (ssh keys/password variables)in the secrets.yml file.

3. To encrypt existing password/secrets file.

[ansible@localhost ~]$ ansible-vault encrypt secrets.yml

It will ask prompt for password first time

output:
New vault password:
Confirm New Vault Password:

4. To create a file with vault encrypted.

[ansible@localhost ~]$ ansible-vault create secrets.yml

5. To edit vault encrypted file — to change sensitive information.

[ansible@localhost ~]$ ansible-vault edit secrets.yml

The entries inside the file will be encrypted as ANSCII format as shown in the below output.

[ansible@localhost ~]$ cat secrets.yml 
$ANSIBLE_VAULT;1.1;AES256
32383031633663643336336330613739323163616264653132636238613130363435353339376462
3432643665306534303963323432353262356334333135630a326231613964623738303431636363
64386135363735653864663236616532303462336134353665383733333662366265336361313565
3130396238616161660a356366303936346639313562626432616265373932386662636330323535
38633735376539663162336465656362343832376266303232376336666335663732

 

Running a Playbook With anisble-vault

To run a playbook that contains vault-encrypted data files, you must pass one of two flags.

1. To specify the vault-password interactively:

[ansible@localhost ~]$ ansible-playbook site.yml --ask-vault-pass

It will ask prompt for password that configured at the time of encrypt secrets/passwords.

2. To specify the vault-password with a file or a script:
When using this flag, ensure permissions on the file are such that no one else can access your key and do not add your key to source control.

[ansible@localhost ~]$ ansible-playbook site.yml --vault-password-file ~/.vault_pass_file
[ansible@localhost ~]$ ansible-playbook site.yml --vault-password-file ~/.vault_pass_file.py

For more information, you can visit ansible documentation of ansible-vault.

 

ansible-vault Example Usage

Please find ansible-vault example on our GitHub.

 

Avinash Pawar

DevOps Practitioner interested in learning new technologies and interested in sharing the knowledge with others.

More Posts - Website

Follow Me:
TwitterFacebookLinkedInGoogle Plus

Avinash Pawar

DevOps Practitioner interested in learning new technologies and interested in sharing the knowledge with others.

Leave a Reply