Ansible - --ask-vault-pass command line option

The ansible-vault command can be used to perform a number of tasks.

Additionally, there are a few command line options to be aware of.

  • --ask-vault-pass - prompt for the vault password
  • --vault-id - use a specific users password in a file
  • --vault-password-file - use a single password in a file

 

For example, let's say ping.yml is unencrypted. When unencrypted, ping.yml can be viewed using common commands, such as cat.

cat ping.yml

 

Let's say ping.yml contains the following.

---
- hosts: all
  gather_facts: false
  tasks:
    - ping:
...

 

ping.yml can be invoked using the ansible-playbook command.

ansible-playbook ping.yml

 

Which should return something like this.

PLAY [all] 

TASK [ping] 
ok: [server1.example.com]
ok: [server2.example.com]
ok: [server3.example.com]

PLAY RECAP 
server1.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
server2.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
server3.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

 

The ansible-vault encrypt command can be used to encrypt ping.yml.

ansible-vault encrypt ping.yml

 

You will be prompted to create a new vault password.

New Vault password:

 

Attempting to view the file using a normal command such as cat will display something like this.

$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531

 

Now when running ping.yml using the ansible-playbook command, the --ask-vault-pass option can be used.

ansible-playbook ping.yml --ask-vault-pass

 

And you will be prompted for the vault password.

Vault password:

 

Or, to avoid being prompted for the vault password, you could create a Vault Password file, and then use the --vault-password-file command line option (if you are going to use the same password for all of the ansible-vault commands) . . .

ansible-playbook ping.yml --vault-password-file /usr/local/vault/.vault_password.txt

 

Or the --vault-id command line option (if you want to use different passwords) 

ansible-playbook ping.yml --vault-id test@/usr/local/ansible/vault/.vault_password.txt

 

Which should return something like this, which shows the same exact result with the encrypted ping.yml file as compared to the non-encrypted ping.yml file.


PLAY [all] 

TASK [ping] 
ok: [server1.example.com]
ok: [server2.example.com]
ok: [server3.example.com]

PLAY RECAP 
server1.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
server2.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
server3.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter dba1c in the box below so that we can be sure you are a human.




Comments


May 8th, 2022 by Surya
Great content, Can you please advise how to encrypt the ansible_ssh_pass and ansible_become_pass alone, rather than encrypting whole *.yml file. so that ansible-playbook runs without any password prompting


May 9th, 2022 by Jeremy (moderator)
You might be able to use use ansible-vault encrypt_string to encrypt ansible_ssh_pass and ansible_become_pass (see http://www.freekb.net/Article?id=2426). Or, you could see if --ansible-vault-password would work (see http://www.freekb.net/Article?id=2729).

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |