If you are not familiar with the Ansible Vault, check out my article Getting Started with the Ansible Vault.
The ansible-vault command can be used to perform a number of tasks.
- ansible-vault create - create an encrypted file
- ansible-vault decrypt - decrypt and encrypted file
- ansible-vault edit - edit an encrypted file
- ansible-vault encrypt - encrypt a non-encrypted file
- ansible-vault encrypt_string - encrypt a string
- ansible-vault rekey - change password used to view or decrypt an encrypted file
- ansible-vault view - view the cleartext contents of an encryped file
Additionally, there are a few command line options to be aware of.
- --ask-vault-pass - prompt for the vault password
- --vault-id - use a specific users password in a file
- --vault-password-file - use a single password in a file
This assumes you have created the Ansible Vault password file. Let's say the password file is:
A vault password file can be used to provide the vault password when:
- Copying an encrypted file to managed nodes using the copy module
- Creating a new encrypted file using the ansible-vault create command
- Creating an encrypted key:value pair using the ansible-vault encrypt_string command
- Decrypting an encrypted file using the ansible-vault decrypt command
- Editing an encrypted file using the ansible-vault edit command
- Encrypting an unencrypted file using the ansible-vault encrypt command
- Viewing the content of an encrypted file using the ansible-vault view command
For example, you can view an encrypted file (foo.txt) by including the --vault-password-file command line option and you will not be prompted for the vault password.
ansible-vault --vault-password-file /usr/local/vault/.vault_password.txt view foo.txt
Instead of using the --vault-password-file command line option, you can use the ANSIBLE_VAULT_PASSWORD_FILE environment variable. The export command can be used to temporarily define the ANSIBLE_VAULT_PASSWORD_FILE environment variable.
However, this doesn't make much sense, because then you would have to issue the export command every time you connect to the Ansible system. Instead, you can permanently define the ANSIBLE_VAULT_PASSWORD_FILE environment variable in your users hidden .bash_profile file (e.g. /home/john.doe/.bash_profile).
The echo command can be used to confirm the ANSIBLE_VAULT_PASSWORD_FILE environment variable contains the path to your vault password file.
~]# echo $ANSIBLE_VAULT_PASSWORD_FILE
Or, you could define vault_password_file in your users personal ansible.cfg (e.g. /home/john.doe/ansible.cfg).
vault_password_file = /home/john.doe/.vault_password.txt
And you should now be able to issue ansible-vault command without being prompted for the vault password and without having to use the --vault-password-file or --vault-id command line options.
ansible-vault view foo.txt