Ansible : Vault

Ansible Vault provides a simple way to encrypt secrets, so you don't expose sensitive data in your playbooks.

Useful Resources

There is a vagrant build for the virtual machines used in these examples here.

There is a GitHub repository of the scripts used in the examples here.

Create a New Vault

We create a new vault using the "ansible-vault" command with the "create" option. It will prompt us for a vault password and drop us into the default editor to enter data in the fault. We enter the data in plain text, just like it were a host variable file and exit.

$ ansible-vault create my_vault.yml
New Vault password:
Confirm New Vault password:

In this case I used the vault password of "Password123" and gave it the following content.

cdb1_sys_password: SysPassword1

We check the contents of the resulting vault file and we can see it's encrypted.

$ cat my_vault.yml

The "view" option allows us to see the content in its unencrypted state.

$ ansible-vault view my_vault.yml
Vault password:
cdb1_sys_password: SysPassword1

The "edit" option drops us back into the editor, so we can edit the contents of the vault. We add a second variable.

$ ansible-vault edit my_vault.yml
Vault password:

We can see the new variable we added.

$ ansible-vault view my_vault.yml
Vault password:
cdb1_sys_password: SysPassword1
testuser1: testuser1pwd

Encrypt Existing Variable File

An alterative to creating a vault is to encrypt and existing variable file. We create a file called "my_vault_2.yml" with the following contents.

cdb1_sys_password: SysPassword1
testuser1: testuser1pwd

We encrypt the file using the "encrypt" option. Once again, we use "Password123" as the password.

$ ansible-vault encrypt my_vault_2.yml
New Vault password:
Confirm New Vault password:
Encryption successful

The file is now encrypted.

$ cat my_vault_2.yml

We can display the content using the "view" option.

$ ansible-vault view my_vault_2.yml
Vault password:
cdb1_sys_password: SysPassword1
testuser1: testuser1pwd

Decrypt Vault

We can decrypt a file using the "decrypt" option.

$ ansible-vault decrypt my_vault_2.yml
Vault password:
Decryption successful

$ cat my_vault_2.yml
cdb1_sys_password: SysPassword1
testuser1: testuser1pwd

Use a Vault With a Playbook

Create a playbook called "vault_variables.yml" with the following contents. It uses the "debug" module to display the variable value, which is a silly thing to do for secret.

- name: Use vault variables
  hosts: databases

  - name: Show vault variable value
      var: cdb1_sys_password

When we run the playbook we see the variable is undefined. We've not told the playbook where to find the vault.

$ ansible-playbook vault_variables.yml

PLAY [Use vault variables] *********************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************
ok: [database1.localdomain]

TASK [Show vault variable value] ***************************************************************************************************************
ok: [database1.localdomain] => {
    "cdb1_sys_password": "VARIABLE IS NOT DEFINED!"

PLAY RECAP *************************************************************************************************************************************
database1.localdomain      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0


We use the "-e" flag to associate extra variables to the playbook. We use the "@" symbol to show it is a file. We also need the "--ask-vault-pass" flag so we are prompted for the vault password.

$ ansible-playbook vault_variables.yml -e @my_vault.yml --ask-vault-pass
Vault password:

PLAY [Use vault variables] *********************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************
ok: [database1.localdomain]

TASK [Show vault variable value] ***************************************************************************************************************
ok: [database1.localdomain] => {
    "cdb1_sys_password": "SysPassword1"

PLAY RECAP *************************************************************************************************************************************
database1.localdomain      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0


Alternatively we can specify the vault as part of the playbook using the "vars_files" option.

- name: Use vault variables
  hosts: databases
  vars_files: my_vault.yml

  - name: Show vault variable value
      var: cdb1_sys_password

We can now run the playbook without the "-e" flag, but we still need the "--ask-vault-pass" flag.

$ ansible-playbook vault_variables_2.yml --ask-vault-pass

Vault password:

PLAY [Use vault variables] *********************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************
ok: [database1.localdomain]

TASK [Show vault variable value] ***************************************************************************************************************
ok: [database1.localdomain] => {
    "cdb1_sys_password": "SysPassword1"

PLAY RECAP *************************************************************************************************************************************
database1.localdomain      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0



Here are some things to consider when using Ansible Vault.

For more information see:

Hope this helps. Regards Tim...

