If you are not familiar with the Ansible Vault, check out my article Getting Started with the Ansible Vault.
The ansible-vault command can be used to perform a number of tasks.
- ansible-vault create - create an encrypted file
- ansible-vault decrypt - decrypt and encrypted file
- ansible-vault edit - edit an encrypted file
- ansible-vault encrypt - encrypt a non-encrypted file
- ansible-vault encrypt_string - encrypt a string
- ansible-vault rekey - change password used to view or decrypt an encrypted file
- ansible-vault view - view the cleartext contents of an encryped file
Additionally, there are a few command line options to be aware of.
- --ask-vault-pass - prompt for the vault password
- --vault-id - use a specific users password in a file
- --vault-password-file - use a single password in a file
This assumes you have created the Ansible Vault password file. Let's say the password file is:
Let's say .vault_password.txt contains the following.
A vault password file can be used to provide the vault password when:
- Creating a new encrypted file using the ansible-vault create command
- Creating an encrypted key:value pair using the ansible-vault encrypt_string command
- Decrypting an encrypted file using the ansible-vault decrypt command
- Editing an encrypted file using the ansible-vault edit command
- Encrypting an unencrypted file using the ansible-vault encrypt command
- Viewing the content of an encrypted file using the ansible-vault view command
Let's say vault.yml was created using --vault-id with the "test" password.
~]$ ansible-vault create --vault-id prod@/usr/local/ansible/vault/.vault_password.txt vault.yml
In this example, vault.yml will contain the "test" id.
~]$ cat vault.yml
You can view vault.yml by including the --vault-id command line option and you will not be prompted for the vault password.
ansible-vault --vault-id test@/usr/local/ansible/vault/.vault_password.txt view vault.yml
Or, let's say you are using the --ask-pass flag with the ansible-playbook command.
ansible-playbook example.yml --ask-pass
You could instead use the --vault-password-file command line option. In this example, .vault_password.txt would be an unencrypted cleartext file that contains the password used to make an SSH connection to the managed nodes.
ansible-playbook example.yml --vault-password-file /usr/local/ansible/vault/.vault_password.txt
vault_password_file = /usr/local/ansible/vault/.vault_password.txt