The ansible-vault command can be used to perform a number of tasks.
- ansible-vault create - create an encrypted file
- ansible-vault decrypt - decrypt and encrypted file
- ansible-vault edit - edit an encrypted file
- ansible-vault encrypt - encrypt a non-encrypted file
- ansible-vault encrypt_string - encrypt a string
- ansible-vault rekey - change password used to view or decrypt an encrypted file
- ansible-vault view - view the cleartext contents of an encryped file
Additionally, there are a few command line options to be aware of.
- --ask-vault-pass - prompt for the vault password
- --vault-id - use a specific users password in a file
- --vault-password-file - use a single password in a file
Let's say you used the ansible-vault create command to create vault.yml, and vault.yml contains "Hello World".
The ansible-vault view command is used to view the content of a file that was encrypted by the ansible-vault create, ansible-vault edit or ansible-vault encrypt command.
Before viewing the file, you'll want to determine if the file was encrypted using a certain vault id. In this example, the file was encrypted using the "test" id.
~]$ cat vault.yml
$ANSIBLE_VAULT;1.2;AES256;test
38626262613533326438383838363032346366643231633838393661633061633830383832643062
6666663233666435636165323038653462343732343264310a616532376238616537613832363565
63336561303230626332326436303830356335343061386333636131386435316633396464353832
3631303831333164610a393266346630313635313831626639303961663330333736393236373032
3062
The following command will view the file.
ansible-vault view vault.yml
You will be prompted to for the vault password.
Vault password:
After providing the valid vault password, the content of the encrypted file will be displayed.
Hello World
Or, to avoid being prompted for the vault password, if the file is not associated with a vault id, the --vault-password-file command line option can be used.
ansible-vault view --vault-password-file /usr/local/ansible/vault/.vault_password.txt vault.yml
If the file is associated with a vault id, the --vault-id command line option can be used.
ansible-vault view --vault-id test@/usr/local/ansible/vault/.vault_password.txt vault.yml
Or you could set the vault_password_file directive in your ansible.cfg file.
[defaults]
vault_password_file = /usr/local/ansible/vault/.vault_password.txt
In this scenario, you wouldn't need to use any of the vault password command line options (--ask-vault-pass, --vault-password-file, --vault-id).
ansible-playbook example.yml
In a playbook, the shell module could be used to invoke the ansible-vault command. In this example, the register parameter is used to store the output in the "out" variable and the debug module could be used to validate that the "out" variable contains the plain text content of vault.yml.
---
- hosts: localhost
tasks:
- shell: "ansible-vault view vault.yml"
register: out
- debug:
var: out
...
Which should output something like this.
ok: [localhost] => {
"msg": "Hello World"
}
Did you find this article helpful?
If so, consider buying me a coffee over at