Bootstrap FreeKB - Ansible - ansible-vault create command
Ansible - ansible-vault create command

Updated:   |  Ansible articles

If you are not familiar with the Ansible Vault, check out my article Getting Started with the Ansible Vault.

The ansible-vault create command can be used to create an Ansible Vault encrypted file. Often, the Ansible Vault encrypted file is created in the group_vars/all directory, so that variables in the encrypted file can be used by "all" hosts. The file does not need to be named vault.yml. The file can be named anything you want.

ansible-vault create group_vars/all/vault.yml

 

You will be prompted to create a new vault password.

New Vault password:

 

Or, to avoid being prompted for the vault password, you could create a Vault Password file, and then use the --vault-password-file command line option (if you are going to use the same password for all of the ansible-vault and ansible-playbook commands).

ansible-vault create --vault-password-file /usr/local/ansible/vault/.vault_password.txt group_vars/all/vault.yml

 

Or the --vault-id command line option (if you want to use different passwords).

ansible-vault create --vault-id test@/usr/local/ansible/vault/.vault_password.txt group_vars/all/vault.yml

 

Or you could set the vault_password_file directive in your ansible.cfg file. In this scenario, you wouldn't need to use any of the vault password command line options (--ask-vault-pass--vault-password-file--vault-id).

[defaults]
vault_password_file = /usr/local/ansible/vault/.vault_password.txt

 

The file will open in your default editor. Let's say you enter vault_default_password: itsasecret and save vault.yml. On a Linux system, vault.yml could have the following owner and permissions. In this example, only john.doe can read and write to vault.yml.

-rw-------. 1 john.doe john.doe  355 Mar 16 18:48 group_vars/all/vault.yml

 

Attempting to view the file using the cat command will display something like this. The ansible-vault view command can be used to view the content of the file.

$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531

 

If the file was encrypted with a vault id, the vault id (test in this example) will be included.

$ANSIBLE_VAULT;1.1;AES256;test
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531



Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter df26fb in the box below so that we can be sure you are a human.