Bootstrap FreeKB - Ansible - Copy an ansible vault encrypted file to managed nodes
Ansible - Copy an ansible vault encrypted file to managed nodes

Updated:   |  Ansible articles

If you are not familiar with the Ansible Vault, check out my article Getting Started with the Ansible Vault.

Generally speaking, when you have sensitive data that needs to be encrypted, there are two main approaches.

  1. Store the encrypted data in a variable
  2. Copy the encrypted file to each managed node

By and far, option 1 is definitely preferred. However, if for some reason option 1 is not feasible, this article describes how to copy an encrypted file to each managed node.

Let's say you used the ansible-vault create command to create a file named passwords.yml that contains sensitive data, perhaps something like this.

test_password: itsasecret
prod_password: hGn4!kD98A


Attempting to view the passwords.yml file using the cat command will display something like this. The ansible-vault view command can be used to view the content of the passwords.yml file.



Here is an example of how passwords.yml could be used with the copy module.

- hosts: all
    - name: copy passwords.yml to the /usr/local/secure directory
        src: passwords.yml
        dest: /usr/local/secure/passwords.yml
        owner: root
        group: root
        mode: 0600


Let's say you issue the ansible-playbook command like this.

ansible-playbook foo.yml


The following should be returned.

TASK [copy passwords.yml to the /usr/local/secure directory] 
fatal: []: FAILED! => {"msg": "A vault password or secret must be specified to decrypt passwords.yml"}


Let's append the password that was used to encrypt passwords.yml to a file such as .vault_password.txt.

echo "itsasecret" > .vault_password.txt


And then update .vault_password.txt so that only the owner of the .vault_password.txt file can read and write to the .vault_password.txt file.

chmod 0600 .vault_password.txt


The  --vault-password-file command line option can then be included on the command line.

ansible-playbook foo.yml --vault-password-file .vault_password.txt


On each managed node that passwords.yml was copied to, the /usr/local/secure/passwords.yml file will be unencrypted, so that the /usr/local/secure/passwords.yml file contains the following.

test_password: itsasecret
prod_password: hGn4!kD98A


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


February 10 2023 by prashanth
i want to copy my encrypted vault file from local to remote server and i want the file to remain encrypted in remote host as well. what modules and commands should i use.

February 10 2023 by Jeremy (moderator)
The copy module can be used to copy a file from one system to another system and the file will remain encrypted since the copy module does not change or modify the file, it's just copying from one system to another.

Add a Comment

Please enter 9a2bc8 in the box below so that we can be sure you are a human.