8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux

Home » Articles » Misc » Here

Ansible : Vault

Ansible Vault provides a simple way to encrypt secrets, so you don't expose sensitive data in your playbooks.

Related articles.

Useful Resources

There is a vagrant build for the virtual machines used in these examples here.

There is a GitHub repository of the scripts used in the examples here.

Create a New Vault

We create a new vault using the "ansible-vault" command with the "create" option. It will prompt us for a vault password and drop us into the default editor to enter data in the fault. We enter the data in plain text, just like it were a host variable file and exit.

$ ansible-vault create my_vault.yml
New Vault password:
Confirm New Vault password:
$

In this case I used the vault password of "Password123" and gave it the following content.

cdb1_sys_password: SysPassword1

We check the contents of the resulting vault file and we can see it's encrypted.

$ cat my_vault.yml
$ANSIBLE_VAULT;1.1;AES256
32306533393532303233373461376533356462613038353439333630346361383833313034373136
3336653332623837366233313662613464376266626637610a363339326237666465663937306433
30373131353331306261373365383562303263386535663264306437326330373035393138383435
3535316163333938320a356237663131656533373066626334303333363233366161333564343031
61306530633063363237646334653835636261373638663465353662353133316439366436303466
3439353036356638666465646133326461363137643566633363
$

The "view" option allows us to see the content in its unencrypted state.

$ ansible-vault view my_vault.yml
Vault password:
cdb1_sys_password: SysPassword1
$

The "edit" option drops us back into the editor, so we can edit the contents of the vault. We add a second variable.

$ ansible-vault edit my_vault.yml
Vault password:
$

We can see the new variable we added.

$ ansible-vault view my_vault.yml
Vault password:
cdb1_sys_password: SysPassword1
testuser1: testuser1pwd
$

Encrypt Existing Variable File

An alterative to creating a vault is to encrypt and existing variable file. We create a file called "my_vault_2.yml" with the following contents.

cdb1_sys_password: SysPassword1
testuser1: testuser1pwd

We encrypt the file using the "encrypt" option. Once again, we use "Password123" as the password.

$ ansible-vault encrypt my_vault_2.yml
New Vault password:
Confirm New Vault password:
Encryption successful
$

The file is now encrypted.

$ cat my_vault_2.yml
$ANSIBLE_VAULT;1.1;AES256
65363365363962363166366138356564323231633065356536373864623863393663646333393433
3736303366356336376531343337653839383465656138300a346633663466333432393833383935
37333564316366323865613236623461316336623865376533353730626135623861653438306335
6631316633383032300a393435633938623365333362356437653133383934373863333130353664
36323335623037633566323332346534633533366431313939323035636465636633363035646230
34663466323432666561353563356635613561383965303130623735623837646639663136666533
303166633532646630343139303237396132
$

We can display the content using the "view" option.

$ ansible-vault view my_vault_2.yml
Vault password:
cdb1_sys_password: SysPassword1
testuser1: testuser1pwd
$

Decrypt Vault

We can decrypt a file using the "decrypt" option.

$ ansible-vault decrypt my_vault_2.yml
Vault password:
Decryption successful
$

$ cat my_vault_2.yml
cdb1_sys_password: SysPassword1
testuser1: testuser1pwd
$

Use a Vault With a Playbook

Create a playbook called "vault_variables.yml" with the following contents. It uses the "debug" module to display the variable value, which is a silly thing to do for secret.

---
- name: Use vault variables
  hosts: databases
  tasks:

  - name: Show vault variable value
    debug:
      var: cdb1_sys_password

When we run the playbook we see the variable is undefined. We've not told the playbook where to find the vault.

$ ansible-playbook vault_variables.yml

PLAY [Use vault variables] *********************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************
ok: [database1.localdomain]

TASK [Show vault variable value] ***************************************************************************************************************
ok: [database1.localdomain] => {
    "cdb1_sys_password": "VARIABLE IS NOT DEFINED!"
}

PLAY RECAP *************************************************************************************************************************************
database1.localdomain      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

$

We use the "-e" flag to associate extra variables to the playbook. We use the "@" symbol to show it is a file. We also need the "--ask-vault-pass" flag so we are prompted for the vault password.

$ ansible-playbook vault_variables.yml -e @my_vault.yml --ask-vault-pass
Vault password:

PLAY [Use vault variables] *********************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************
ok: [database1.localdomain]

TASK [Show vault variable value] ***************************************************************************************************************
ok: [database1.localdomain] => {
    "cdb1_sys_password": "SysPassword1"
}

PLAY RECAP *************************************************************************************************************************************
database1.localdomain      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

$

Alternatively we can specify the vault as part of the playbook using the "vars_files" option.

---
- name: Use vault variables
  hosts: databases
  vars_files: my_vault.yml
  tasks:

  - name: Show vault variable value
    debug:
      var: cdb1_sys_password

We can now run the playbook without the "-e" flag, but we still need the "--ask-vault-pass" flag.

$ ansible-playbook vault_variables_2.yml --ask-vault-pass

Vault password:

PLAY [Use vault variables] *********************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************
ok: [database1.localdomain]

TASK [Show vault variable value] ***************************************************************************************************************
ok: [database1.localdomain] => {
    "cdb1_sys_password": "SysPassword1"
}

PLAY RECAP *************************************************************************************************************************************
database1.localdomain      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

$

Considerations

Here are some things to consider when using Ansible Vault.

For more information see:

Hope this helps. Regards Tim...

Back to the Top.