If you are not familiar with the Ansible Vault, check out my article Getting Started with the Ansible Vault.
Generally speaking, when you have sensitive data that needs to be encrypted, there are two main approaches.
- Store the encrypted data in a variable
- Copy the encrypted file to each managed node
By and far, option 1 is definitely preferred. However, if for some reason option 1 is not feasible, this article describes how to copy an encrypted file to each managed node.
Let's say you used the ansible-vault create command to create a file named passwords.yml that contains sensitive data, perhaps something like this.
test_password: itsasecret
prod_password: hGn4!kD98A
Attempting to view the passwords.yml file using the cat command will display something like this. The ansible-vault view command can be used to view the content of the passwords.yml file.
$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531
Here is an example of how passwords.yml could be used with the copy module.
---
- hosts: all
tasks:
- name: copy passwords.yml to the /usr/local/secure directory
copy:
src: passwords.yml
dest: /usr/local/secure/passwords.yml
owner: root
group: root
mode: 0600
...
Let's say you issue the ansible-playbook command like this.
ansible-playbook foo.yml
The following should be returned.
TASK [copy passwords.yml to the /usr/local/secure directory]
fatal: [server1.example.com]: FAILED! => {"msg": "A vault password or secret must be specified to decrypt passwords.yml"}
Let's append the password that was used to encrypt passwords.yml to a file such as .vault_password.txt.
echo "itsasecret" > .vault_password.txt
And then update .vault_password.txt so that only the owner of the .vault_password.txt file can read and write to the .vault_password.txt file.
chmod 0600 .vault_password.txt
The --vault-password-file command line option can then be included on the command line.
ansible-playbook foo.yml --vault-password-file .vault_password.txt
On each managed node that passwords.yml was copied to, the /usr/local/secure/passwords.yml file will be unencrypted, so that the /usr/local/secure/passwords.yml file contains the following.
test_password: itsasecret
prod_password: hGn4!kD98A
Did you find this article helpful?
If so, consider buying me a coffee over at