This assumes you are already familiar with making an SSH connection to target servers using Ansible. If not, check out my article Ansible - Getting Started with SSH.
If you are using basic auth to connect to target servers (username / password), this is typically first done with the --ask-pass command line flag, during testing/development. However, once your testing is done, there often is a need to figure out how to make the SSH connection without the --ask-pass command line flag. You could configure the default hosts file with your SSH username and password, but this isn't ideal, since your cleartext SSH password would be in the default hosts file. Better options are:
- vault encrypted SSH password in group_vars (this article)
- vault encrypted SSH password in vars_files
Almost always, a vault encrypted SSH password in group_vars is used. However, let's say you have a playbook with two (or more) plays, where only one of the plays should use a vault encrypted SSH password. This is a scenario where it may make sense to create a vault encryped file with your SSH password in a vars file.
---
- name: first play
hosts: all
tasks:
- include_role:
name: foo
- name: second play
hosts: all
vars_files:
- vars/ssh.yml
tasks:
- include_role:
name: bar
...
Create the groups_vars/all directory.
mkdir --parents group_vars/all
Create a hidden TXT file that will contain the password you will use for your Ansible Vault. This file does not need to reside in the group_vars/all directory, but for this example, it makes sense to create the hidden TXT file in the group_vars/all directory.
touch group_vars/all/.vault_password.txt
Append some random password to the hidden .vault_password.txt file.
echo 'abc123xyz456' > group_vars/all/.vault_password.txt
Update the hidden .vault_password.txt file to be read only.
chmod 0400 group_vars/all/.vault_password.txt
Use the ansible-vault create command is used to create an encrypted file. The password.yml file will open in your default editor. Enter your SSH password and save password.yml.
ansible-vault create password.yml --vault-password-file group_vars/all/.vault_password.txt
Use the cat command to view the encrypted data returned by password.yml.
$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531
Create a YAML file in the group_vars/all directory. It doesn't matter what the name of the YAML file is as long as it's in the group_vars/all directory.
group_vars/all/ssh.yml
Update the YAML file to contain your SSH username and the encrypted content of password.yml.
IMPORTANT - Indentation matters here. There must be exactly 2 spaces before the encrypted password string
ansible_connection: ssh
ansible_user: john.doe
ansible_ssh_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531
Remove the password.yml file, as it is no longer needed, since the encrypted password is now in the YAML file in the group_vars/all directory.
rm password.yml
You should now be able to connect to target servers and by default, the connection will using the SSH details in the YAML file in the group_vars/all directory. However, you are going to need to decrypt the group_vars/all/ssh.yml file. One way to do this is to include the --vault-password-file option on the command line.
ansible-playbook example.yml --inventory inventory.yml --vault-password-file group_vars/all/.vault_password.txt
Better yet, you could define vault_password_file your users personal ansible.cfg (e.g. /home/john.doe/ansible.cfg).
[defaults]
vault_password_file = /home/john.doe/.vault_password.txt
And then you should be able to run the ansible-playbook command without having to include the --vault-password-file option on the command line.
ansible-playbook example.yml --inventory inventory.yml
Did you find this article helpful?
If so, consider buying me a coffee over at 