8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23ai | Misc | PL/SQL | SQL | RAC | WebLogic | Linux
Ansible : Vault
Ansible Vault provides a simple way to encrypt secrets, so you don't expose sensitive data in your playbooks.
- Useful Resources
- Create a New Vault
- Encrypt Existing Variable File
- Decrypt Vault
- Use a Vault With a Playbook
- Considerations
Related articles.
Useful Resources
There is a vagrant build for the virtual machines used in these examples here.
There is a GitHub repository of the scripts used in the examples here.
Create a New Vault
We create a new vault using the "ansible-vault" command with the "create" option. It will prompt us for a vault password and drop us into the default editor to enter data in the fault. We enter the data in plain text, just like it were a host variable file and exit.
$ ansible-vault create my_vault.yml New Vault password: Confirm New Vault password: $
In this case I used the vault password of "Password123" and gave it the following content.
cdb1_sys_password: SysPassword1
We check the contents of the resulting vault file and we can see it's encrypted.
$ cat my_vault.yml $ANSIBLE_VAULT;1.1;AES256 32306533393532303233373461376533356462613038353439333630346361383833313034373136 3336653332623837366233313662613464376266626637610a363339326237666465663937306433 30373131353331306261373365383562303263386535663264306437326330373035393138383435 3535316163333938320a356237663131656533373066626334303333363233366161333564343031 61306530633063363237646334653835636261373638663465353662353133316439366436303466 3439353036356638666465646133326461363137643566633363 $
The "view" option allows us to see the content in its unencrypted state.
$ ansible-vault view my_vault.yml Vault password: cdb1_sys_password: SysPassword1 $
The "edit" option drops us back into the editor, so we can edit the contents of the vault. We add a second variable.
$ ansible-vault edit my_vault.yml Vault password: $
We can see the new variable we added.
$ ansible-vault view my_vault.yml Vault password: cdb1_sys_password: SysPassword1 testuser1: testuser1pwd $
Encrypt Existing Variable File
An alterative to creating a vault is to encrypt and existing variable file. We create a file called "my_vault_2.yml" with the following contents.
cdb1_sys_password: SysPassword1 testuser1: testuser1pwd
We encrypt the file using the "encrypt" option. Once again, we use "Password123" as the password.
$ ansible-vault encrypt my_vault_2.yml New Vault password: Confirm New Vault password: Encryption successful $
The file is now encrypted.
$ cat my_vault_2.yml $ANSIBLE_VAULT;1.1;AES256 65363365363962363166366138356564323231633065356536373864623863393663646333393433 3736303366356336376531343337653839383465656138300a346633663466333432393833383935 37333564316366323865613236623461316336623865376533353730626135623861653438306335 6631316633383032300a393435633938623365333362356437653133383934373863333130353664 36323335623037633566323332346534633533366431313939323035636465636633363035646230 34663466323432666561353563356635613561383965303130623735623837646639663136666533 303166633532646630343139303237396132 $
We can display the content using the "view" option.
$ ansible-vault view my_vault_2.yml Vault password: cdb1_sys_password: SysPassword1 testuser1: testuser1pwd $
Decrypt Vault
We can decrypt a file using the "decrypt" option.
$ ansible-vault decrypt my_vault_2.yml Vault password: Decryption successful $ $ cat my_vault_2.yml cdb1_sys_password: SysPassword1 testuser1: testuser1pwd $
Use a Vault With a Playbook
Create a playbook called "vault_variables.yml" with the following contents. It uses the "debug" module to display the variable value, which is a silly thing to do for secret.
--- - name: Use vault variables hosts: databases tasks: - name: Show vault variable value debug: var: cdb1_sys_password
When we run the playbook we see the variable is undefined. We've not told the playbook where to find the vault.
$ ansible-playbook vault_variables.yml PLAY [Use vault variables] ********************************************************************************************************************* TASK [Gathering Facts] ************************************************************************************************************************* ok: [database1.localdomain] TASK [Show vault variable value] *************************************************************************************************************** ok: [database1.localdomain] => { "cdb1_sys_password": "VARIABLE IS NOT DEFINED!" } PLAY RECAP ************************************************************************************************************************************* database1.localdomain : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 $
We use the "-e" flag to associate extra variables to the playbook. We use the "@" symbol to show it is a file. We also need the "--ask-vault-pass" flag so we are prompted for the vault password.
$ ansible-playbook vault_variables.yml -e @my_vault.yml --ask-vault-pass Vault password: PLAY [Use vault variables] ********************************************************************************************************************* TASK [Gathering Facts] ************************************************************************************************************************* ok: [database1.localdomain] TASK [Show vault variable value] *************************************************************************************************************** ok: [database1.localdomain] => { "cdb1_sys_password": "SysPassword1" } PLAY RECAP ************************************************************************************************************************************* database1.localdomain : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 $
Alternatively we can specify the vault as part of the playbook using the "vars_files" option.
--- - name: Use vault variables hosts: databases vars_files: my_vault.yml tasks: - name: Show vault variable value debug: var: cdb1_sys_password
We can now run the playbook without the "-e" flag, but we still need the "--ask-vault-pass" flag.
$ ansible-playbook vault_variables_2.yml --ask-vault-pass Vault password: PLAY [Use vault variables] ********************************************************************************************************************* TASK [Gathering Facts] ************************************************************************************************************************* ok: [database1.localdomain] TASK [Show vault variable value] *************************************************************************************************************** ok: [database1.localdomain] => { "cdb1_sys_password": "SysPassword1" } PLAY RECAP ************************************************************************************************************************************* database1.localdomain : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 $
Considerations
Here are some things to consider when using Ansible Vault.
- It may be a better idea to use a cloud-based vault for production systems.
- We can encrypt host and group variable files if required. They will be picked up by default as normal, but will require a password to access them.
- The passwords used in this article as simple/stupid. Please use strong passwords for the vault, and for any passwords used by your systems.
- Check out the documentation for the other things you can do with Ansible Vault.
For more information see:
Hope this helps. Regards Tim...