Ansible is an open-source automation platform used for application deployment, configuration management and provisioning. It allows us to create playbooks which can be executed on multiple hosts. In the Ansible playbooks, we often have secret information such as passwords or secret keys stored in files, which should not be readable by non-authorized people. Storing secret information in plain text means anyone with repo access can read the information. Fortunately, Ansible provides a built-in feature that allows you to encrypt secret data very easily called ansible-vault. In this tutorial, I'll show you how to use ansible-vault for protecting sensitive information.
Creating an Encrypted File
To create an encrypted file, run this command:
ansible-vault create example.yml
Editing an Encrypted File
To edit a file already encrypted using ansible-vault, use the following command:
ansible-vault edit example.yml
Viewing an Encrypted File
To view a file already encrypted using ansible-vault, use the following command:
ansible-vault view example.yml
Changing Password of Encrypted File(s)
If you want to change password, use this command:
ansible-vault rekey example.txt example2.txt
Encrypting File(s)
If you've already created some non-encrypted files and you want to encrypt multiple files at once, here is the command:
ansible-vault encrypt example.txt example2.txt
Decrypting Encrypted File(s)
If you want to decrypt some encrypted files with the same password, use this command:
ansible-vault decrypt example.txt example2.txt
Providing Password
If you've tried the commands above, you would've been asked for encryption password. Instead of entering the password everytime you run ansible-vault, Ansible allows you to store the password on a file. This is very useful if you have a long password because typing it or using copy & paste command is not practical. Since version 2.4, the recommended way to provide password is using --vault-id flag, followed by the path to the file containing password. If you want it to prompt the password, use --vault-id @prompt instead.
Prior to version 2.4, you can use --vault-password-file flag, followed by the path to the password file. The flag is applicable for all the commands above, with the exception for changing password (rekeying), where you also need additional flag --new-vault-password-file for the new password file. To be prompted for password, use --ask-vault-pass flag.
Encrypting Variables
In Ansible, you often store variables, either in vars block or in separated files. Sometimes you may want to encrypt the value of selected variables only, not the entire file. To encrypt the value of a variable, you can do it using this command:
ansible-vault encrypt_string --vault-id password-file.txt 'example text' --name 'my_var'
In the example above, my_var is the variable name, while the value is "example text". password-file.txt is the path to the file containing password. Alternatively, you can make it prompt for a password value by replacing password-file.txt with @prompt.
You may need to use different passwords for different variables. Since version 2.4, Ansible supports multiple vault passwords to be used at once. To determine which password should be used for a variable, we can add a label at encryption. Sligtly modify the command above so it becomes like this:
ansible-vault encrypt_string --vault-id label1@password-file.txt 'example text' --name 'my_var'
If you prefer it to prompt the password, use -vault-id label1@prompt instead.
As an alternative, you can echo variable value:
echo 'some text' | ansible-vault encrypt_string --vault-id label1@password-file.txt --stdin-name 'my_var'
Or if you prefer to get a prompt to input the value:
ansible-vault encrypt_string --vault-id label1@password-file.txt --stdin-name 'my_var'
Running Playbook with Encrypted Files and Variables
Of course you want to store all files and variables containing sensitive information safely encrypted. When you run a playbook with ansible-playbook, there may be multiple encrypted files and variabes. You don't need to run the decrypt command first and encrypt again later after it finishes. Since version 2.4, you can use --vault-id flag while running ansible-playbook command, followed by either path to the password file or @prompt (to be prompted for a password). All encrypted files and variables will be decrypted if you give the correct passwords. If you use multiple labels, , you can use multiple --vault-id flags like this one:
--vault-id label1@password-file.txt --vault-id label2@prompt
Prior to version 2.4, it's possible to use --ask-vault-pass (to be prompted for a password) or --vault-password-file
That's all about using ansible vault for encrypting files in Ansible