Generally speaking, when you have sensitive data that needs to be encrypted, there are two main approaches.
- Store the encrypted data in a variable
- Copy the encrypted file to each managed node
By and far, option 1 is definitely preferred, and this article describes option 1. However, if for some reason option 1 is not feasible, refer to How to copy an encrypted file to each managed node.
Let's say you've a file named locker.yml that contains the following.
test_password: itsasecret
prod_password: hGn4!kD98A
And you have encrypted locker.yml using the ansible-vault create or ansible-vault encrypt command. Attempting to view the locker.yml file using the cat command will display something like this.
$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531
The ansible-vault view command can be used to view the content of the locker.yml file.
Or you could create a variable that contains the enrypted vault string, like this. Or the "bar" variable could be defined some other ways, such as in the vars/main.yml file, or in a group_vars file. Refer to Getting Started with Variables to understand the many different ways that the "bar" variable could be defined.
---
- hosts: localhost
vars:
bar: !vault |
$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531
tasks:
- name: display locker.yml
debug:
var: bar
...
The ansible-playbook command with the --ask-vault-pass flag . . .
ansible-playbook foo.yml --ask-vault-pass
Should prompt you for the vault password that was used to encrypt locker.yml.
Vault password:
Assuming you are able to provide the valid vault password file, something like this should be returned.
TASK [display locker.yml]
ok: [localhost] => {
"bar": "test_password: itsasecret\n\nprod_password: hGn4!kD98A\n"
}
Better yet, the password that was used to encrypt locker.yml could be appended to a file, such as .vault_password.txt.
echo "itsasecret" > .vault_password.txt
And then update .vault_password.txt so that only the owner of the .vault_password.txt file can read and write to the .vault_password.txt file.
chmod 0600 .vault_password.txt
And now the --vault-password-file command line option can be used.
ansible-playbook foo.yml --vault-password-file /usr/local/vault/.vault_password.txt
Be aware that if you attempt to use the split operator on the bar variable. the following will be returned. Refer to Resolve "ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode object has no attribute split" for the steps on how to resolve this issue using the string filter.
TASK [display the content of the 'passwords' variable]
fatal: [localhost]: FAILED! => {"msg": "
The task includes an option with an undefined variable.
The error was: 'ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode object' has no attribute 'split'\n\n
The error appears to be in '/usr/local/ansible/testing.yml': line 17, column 7, but may be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: display the contents of the 'passwords' variable
^ here
Did you find this article helpful?
If so, consider buying me a coffee over at