Manage secrets/passwords with Ansible Vault (ansible-vault)

  • 7


Ansible vault is a feature of ansible that allows keeping sensitive data such as secrets, passwords or keys in encrypted files, rather than as plaintext in your ansible playbooks or ansible roles. This provides the ability to secure any sensitive data that is necessary to successfully run Ansible plays but should not be publicly visible, like passwords or private keys. Ansible automatically decrypts vault-encrypted content at runtime when the key is provided.

To enable this feature, a command line tool, ansible-vault is used to edit files, and a command line flag –ask-vault-pass or –vault-password-file is used. In this guide, we will discuss the procedure/steps to manage secrets(passwords/keys/certs files) of configuration/deployments by automating with ansible vault.


Using ansible-vault in Playbooks

1. Create a file called password.yml

[ansible@localhost ~]$ vim secrets.yml

2. Add the entries (ssh keys/password variables)in the secrets.yml file.

3. To encrypt existing password/secrets file.

[ansible@localhost ~]$ ansible-vault encrypt secrets.yml

It will ask prompt for password first time

New vault password:
Confirm New Vault Password:

4. To create a file with vault encrypted.

[ansible@localhost ~]$ ansible-vault create secrets.yml

5. To edit vault encrypted file — to change sensitive information.

[ansible@localhost ~]$ ansible-vault edit secrets.yml

The entries inside the file will be encrypted as ANSCII format as shown in the below output.

[ansible@localhost ~]$ cat secrets.yml 


Running a Playbook With anisble-vault

To run a playbook that contains vault-encrypted data files, you must pass one of two flags.

1. To specify the vault-password interactively:

[ansible@localhost ~]$ ansible-playbook site.yml --ask-vault-pass

It will ask prompt for password that configured at the time of encrypt secrets/passwords.

2. To specify the vault-password with a file or a script:
When using this flag, ensure permissions on the file are such that no one else can access your key and do not add your key to source control.

[ansible@localhost ~]$ ansible-playbook site.yml --vault-password-file ~/.vault_pass_file
[ansible@localhost ~]$ ansible-playbook site.yml --vault-password-file ~/

For more information, you can visit ansible documentation of ansible-vault.


ansible-vault Example Usage

Please find ansible-vault example on our GitHub.


Avinash Pawar

An automation enthusiast who presently working as DevOps Engineer.

More Posts - Website

Follow Me:
TwitterFacebookLinkedInGoogle Plus

Avinash Pawar

An automation enthusiast who presently working as DevOps Engineer.