Skip to main content

Ansible Vault

Introduction to Ansible Vault

Ansible Vault is a feature of Ansible that allows you to keep sensitive data, such as passwords or keys, in encrypted files, rather than as plaintext in playbooks or roles. These files can then be used within your playbooks, and Ansible will decrypt them on-the-fly.

Installation of Ansible Vault

Ansible Vault is included by default when you install Ansible, so no additional installation is needed.

Creating Encrypted Files

To create a new encrypted file, use the ansible-vault create command followed by the name of the file you want to create:

ansible-vault create secrets.yml

You'll be prompted to enter a password that will be used to encrypt the file. You'll need to remember this password for later, as you'll be prompted for it whenever you wish to edit the file.

Editing Encrypted Files

To edit an encrypted file, use the ansible-vault edit command:

ansible-vault edit secrets.yml

Again, you'll be prompted to enter the password you used when creating the file.

Encrypting Existing Files

If you already have a file that you want to encrypt, you can use the ansible-vault encrypt command:

ansible-vault encrypt existingfile.yml

Decrypting Files

If you want to decrypt a file, perhaps because you no longer need it to be secure, you can use the ansible-vault decrypt command:

ansible-vault decrypt secrets.yml

Changing the Password of Encrypted Files

If you want to change the password of an encrypted file, you can use the ansible-vault rekey command:

ansible-vault rekey secrets.yml

Using Encrypted Files in Playbooks

In your playbooks, you can use encrypted files just like any other variables file. For example, if you have an encrypted file named secrets.yml, you can include it in your playbook like this:

---
- hosts: servers
  vars_files:
    - secrets.yml
  tasks:
    - name: print secret
      debug:
        var: secret

When you run the playbook, you'll need to provide the password for the encrypted file. You can do this with the --ask-vault-pass flag:

ansible-playbook site.yml --ask-vault-pass

Conclusion

Ansible Vault is a powerful tool that allows you to securely store and use sensitive data in your Ansible playbooks. By using Vault, you can keep your secrets safe and out of your playbooks, making your Ansible use more secure.