Bootstrap FreeKB - Ansible - ansible-vault encrypt command
Ansible - ansible-vault encrypt command

Updated:   |  Ansible articles

The ansible-vault command can be used to perform a number of tasks.

Additionally, there are a few command line options to be aware of.

 

The ansible-vault encrypt command can be used to encrypt a non-encrypted file. For example, let's say ping.yml is unencrypted. When unencrypted, ping.yml can be viewed using common commands, such as cat.

cat ping.yml

 

Let's say ping.yml contains the following.

---
- hosts: all
  gather_facts: false
  tasks:
    - ping:
...

 

ping.yml can be invoked using the ansible-playbook command.

ansible-playbook ping.yml

 

Which should return something like this.

PLAY [all] 

TASK [ping] 
ok: [server1.example.com]
ok: [server2.example.com]
ok: [server3.example.com]

PLAY RECAP 
server1.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
server2.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
server3.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

 

The ansible-vault encrypt command can be used to encrypt ping.yml.

ansible-vault encrypt ping.yml

 

You will be prompted to create a new vault password.

New Vault password:

 

Or, to avoid being prompted for the vault password, you could create a Vault Password file, and then use the --vault-password-file command line option (if you are going to use the same password for all of the ansible-vault commands) . . .

ansible-vault encrypt --vault-password-file /usr/local/vault/.vault_password.txt ping.yml

 

Or the --vault-id command line option (if you want to use different passwords) 

ansible-vault encrypt --vault-id test@/usr/local/ansible/vault/.vault_password.txt ping.yml

 

On a Linux system, ping.yml could have the following owner and permissions. In this example, only john.doe can read and write to foo.txt.

-rw-------. 1 john.doe john.doe  355 Mar 16 18:48 ping.yml

 

Attempting to view the file using a normal command such as cat will display something like this.

$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531

 

If the file was encrypted with a vault id, the vault id (test in this example) will be included.

$ANSIBLE_VAULT;1.1;AES256;test
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531

 

Now when running ping.yml using the ansible-playbook command, the --ask-vault-pass option can be used.

ansible-playbook ping.yml --ask-vault-pass

 

And you will be prompted for the vault password.

Vault password:

 

Or, to avoid being prompted for the vault password, you could create a Vault Password file, and then use the --vault-password-file command line option (if you are going to use the same password for all of the ansible-vault commands) . . .

ansible-playbook ping.yml --vault-password-file /usr/local/ansible/vault/.vault_password.txt

 

Or the --vault-id command line option (if you want to use different passwords) 

ansible-playbook ping.yml --vault-id test@/usr/local/ansible/vault/.vault_password.txt

 

Or you could set the vault_password_file directive in your ansible.cfg file.

[defaults]
vault_password_file = /usr/local/ansible/vault/.vault_password.txt

 

In this scenario, you wouldn't need to use any of the vault password command line options (--ask-vault-pass--vault-password-file--vault-id).

ansible-playbook example.yml

 

Which should return something like this, which shows the same exact result with the encrypted ping.yml file as compared to the non-encrypted ping.yml file.


PLAY [all] 

TASK [ping] 
ok: [server1.example.com]
ok: [server2.example.com]
ok: [server3.example.com]

PLAY RECAP 
server1.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
server2.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
server3.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter 4368eb in the box below so that we can be sure you are a human.