Ansible Vault can be used to encrypt sensitive data, such as passwords, tokens, and secrets.
For example, let's say you have a playbook that contains sensitive information, such as a users password. This is insecure, as anyone who has read access to the playbook would be able to see the password.
---
- hosts: all
tasks:
- user:
name: john.doe
password: itsasecret
state: present
...
Often, the ansible-vault create command is used to create an encrypted file in the group_vars/all directory, so that variables in the encrypted file can be used by "all" hosts. The file does not need to be named vault.yml. The file can be named anything you want.
ansible-vault create group_vars/all/vault.yml
You will be prompted to create a new vault password.
New Vault password:
Or, to avoid being prompted for the vault password, you could create a Vault Password file, and then use the --vault-password-file command line option (if you are going to use the same password for all of the ansible-vault commands) . . .
ansible-vault create --vault-password-file /usr/local/ansible/vault/.vault_password.txt group_vars/all/vault.yml
Or the --vault-id command line option (if you want to use different passwords)
ansible-vault create --vault-id test@/usr/local/ansible/vault/.vault_password.txt group_vars/all/vault.yml
Or you could set the vault_password_file directive in your ansible.cfg file. In this scenario, you wouldn't need to use any of the vault password command line options (--ask-vault-pass or --vault-password-file or --vault-id).
[defaults]
vault_password_file = /usr/local/ansible/vault/.vault_password.txt
The file will open in your default editor. Let's say you enter vault_default_password: itsasecret and save vault.yml. On a Linux system, vault.yml could have the following owner and permissions. In this example, only john.doe can read and write to vault.yml.
-rw-------. 1 john.doe john.doe 355 Mar 16 18:48 group_vars/all/vault.yml
Attempting to view the file using the cat command will display something like this. The ansible-vault view command can be used to view the content of the file.
$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531
If the file was encrypted with --vault-id, the vault id (admin in this example) will be included.
$ANSIBLE_VAULT;1.1;AES256;admin
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531
Now you can update your playbook to have the vault_default_password variable.
---
- hosts: all
tasks:
- user:
name: john.doe
password: "{{ vault_default_password }}"
state: present
...
When using the ansible-playbook command to run the playbook that contains the vault_default_password variable, you will have to decide how you want to provide the password that will be used to decrypt the group_vars/all/vault.yml file. One option would be to use the --ask-vault-pass command line option. This is probably the least ideal option.
ansible-playbook example.yml --ask-vault-pass
A slightly better option would be to use the --vault-password-file command line option.
ansible-playbook example.yml --vault-password-file /usr/local/ansible/vault/.vault_password.txt
Or the --vault-id command line option (if your group_vars/all/vault.yml file was created using the --vault-id command line option).
ansible-playbook example.yml --vault-id test@/usr/local/ansible/vault/.vault_password.txt
Or set the vault_password_file directive in your ansible.cfg file. In this scenario, you wouldn't need to use any of the vault password command line options (--ask-vault-pass or --vault-password-file or --vault-id).
[defaults]
vault_password_file = /usr/local/ansible/vault/.vault_password.txt
However, my favorite option is to:
- Create an Amazon Web Services (AWS) Secret that contains the Ansible Vault password
- Create an Amazon Web Services (AWS) Lambda Function that get the Ansible Vault password from the Secret
- Create an Amazon Web Services (AWS) API Gateway that forwards GET request onto the Lambda Function
- Create a script (such as a Python script) that submits a GET request to the API Gateway, which should return the Ansible Vault password
For a walk through on this, check out my article Get Ansible Vault password from Amazon Web Services (AWS) Secrets Manager. You would then be able to have the --vault-password-file command line option reference the script that returns the Ansible Vault password from Amazon Web Services.
ansible-playbook example.yml --vault-password-file ./ansibleVault.py
Did you find this article helpful?
If so, consider buying me a coffee over at