Ansible-Vault How-To

A short tutorial in using ansible-vault for storing sensitive information.

Here I have an ansible inventory file – hosts which utilizes group_vars where I store connection details/credentials.

[root@ansible vault]# tree .
.
├── inventory
│   ├── group_vars
│   │   └── web
│   └── hosts
└── wget.yml

 

[root@ansible vault]# cat inventory/hosts
[web]
192.168.0.54

[root@ansible vault]# cat inventory/group_vars/web

ansible_connection: ssh
ansible_user: root
ansible_ssh_pass: P@ssw0rd

 

Since the credentials is in plain text, contents are visible to anyone who has access to this file, we can use ansible-vault, which is provided by ansible-core package, and passing in a password  to encrypt it

[root@ansible vault]# ansible-vault encrypt inventory/group_vars/web
New Vault password:
Confirm New Vault password:
Encryption successful

web is now encrypted (AES 256)

[root@ansible vault]# cat inventory/group_vars/web
$ANSIBLE_VAULT;1.1;AES256
66613032646237636338346230363465653436313539313235393331663434666637303031323864
6331656237323166376336396431333666316335353764380a313937356336616265646562336237
65616631346661623566633734303664646138636335643466393534623661393261383238303633
3136356131616239640a626635633466383234366130643031393034623165313938393066373237
63363562393530336234373237393464356439643731346538323834616166363864656337613539
38643263396335623831316236303933383532636663373138353433633638613838623933396134
65343964653934366632663031393265316661656238653662313539313234316536303464303737
30653265303439303465
[root@ansible vault]#

 

When we try to run ansible (or ansible-playbook) command, we can use the –ask-vault-pass and when prompted enter the password we used when we encrypted the file.

[root@ansible vault]# ansible web -i inventory/hosts -m ping –ask-vault-pass

Vault password:
192.168.0.54 | SUCCESS => {
“changed”: false,
“ping”: “pong”
}

 

 

Leave a Reply