If you are not familiar with the Ansible Vault, check out my article Getting Started with the Ansible Vault.
The ansible-vault command can be used to perform a number of tasks.
- ansible-vault create - create an encrypted file
- ansible-vault decrypt - decrypt and encrypted file
- ansible-vault edit - edit an encrypted file
- ansible-vault encrypt - encrypt a non-encrypted file
- ansible-vault encrypt_string - encrypt a string
- ansible-vault rekey - change password used to view or decrypt an encrypted file
- ansible-vault view - view the cleartext contents of an encryped file
Additionally, there are a few command line options to be aware of.
- --ask-vault-pass - prompt for the vault password
- --vault-id - use a specific users password in a file
- --vault-password-file - use a single password in a file
For example, let's say ping.yml is unencrypted. When unencrypted, ping.yml can be viewed using common commands, such as cat.
cat ping.yml
Let's say ping.yml contains the following.
---
- hosts: all
gather_facts: false
tasks:
- ping:
...
ping.yml can be invoked using the ansible-playbook command.
ansible-playbook ping.yml
Which should return something like this.
PLAY [all]
TASK [ping]
ok: [server1.example.com]
ok: [server2.example.com]
ok: [server3.example.com]
PLAY RECAP
server1.example.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
server2.example.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
server3.example.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
The ansible-vault encrypt command can be used to encrypt ping.yml.
ansible-vault encrypt ping.yml
You will be prompted to create a new vault password.
New Vault password:
Attempting to view the file using a normal command such as cat will display something like this.
$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531
Now when running ping.yml using the ansible-playbook command, the --ask-vault-pass option can be used.
ansible-playbook ping.yml --ask-vault-pass
And you will be prompted for the vault password.
Vault password:
Or, to avoid being prompted for the vault password, you could create a Vault Password file, and then use the --vault-password-file command line option (if you are going to use the same password for all of the ansible-vault commands) . . .
ansible-playbook ping.yml --vault-password-file /usr/local/ansible/vault/.vault_password.txt
Or the --vault-id command line option (if you want to use different passwords)
ansible-playbook ping.yml --vault-id test@/usr/local/ansible/vault/.vault_password.txt
Or you could set the vault_password_file directive in your ansible.cfg file.
[defaults]
vault_password_file = /usr/local/ansible/vault/.vault_password.txt
In this scenario, you wouldn't need to use any of the vault password command line options (--ask-vault-pass, --vault-password-file, --vault-id).
ansible-playbook ping.yml
Which should return something like this, which shows the same exact result with the encrypted ping.yml file as compared to the non-encrypted ping.yml file.
PLAY [all]
TASK [ping]
ok: [server1.example.com]
ok: [server2.example.com]
ok: [server3.example.com]
PLAY RECAP
server1.example.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
server2.example.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
server3.example.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Did you find this article helpful?
If so, consider buying me a coffee over at