Skip to content

Ansible Vault

Ansible Vault is a feature that allows users to encrypt values and data structures within Ansible projects. This provides the ability to secure any sensitive data that is necessary to successfully run Ansible plays but should not be publicly visible, like passwords or private keys. Ansible automatically decrypts vault-encrypted content at runtime when the key is provided.

This requires the manual step of setting up a password file and setting it's path (which should not be in the repository) in ansible.cfg.

Using Anisble Vault means that managing secrets becomes as easy as managing the Ansible Vault password file and all other secrets can be set up automatically by running the playbooks.

Usage

Bash
[defaults]
vault_password_file = <PATH TO YOUR VAULT PASS>

Secret variables can be set by encrypting strings:

Bash
ansible-vault encrypt_string password123 

And pasting the output in place of a variable:

YAML
1
2
3
4
my_password: !vault |
    $ANSIBLE_VAULT;1.1;AES256
    66386439653236336462626566653063336164663966303231363934653561363964363833
    3136626431626536303530376336343832656537303632313433360a626438346336353331

View encrypted variable with:

Bash
1
2
3
4
ansible localhost \
       -m debug \
       -a "var=<VAR NAME>" \
       -e "@<PATH TO VAR FILE>"

Encrypt files with:

Bash
ansible-vault encrypt encrypt_me.txt

View encrypted files with:

Bash
ansible-vault view encrypt_me.txt

Edit encrypted files with:

Bash
ansible-vault edit encrypt_me.txt

Decrypt encrypted files with:

Bash
ansible-vault decrypt encrypt_me.txt