How to use an Ansible Vault in an Ansible Playbook?

How to use an Ansible Vault to Protect Sensitive Data such as passwords, access keys, etc. I will show you a live Playbook with some simple Ansible code. I’m Luca Berton, and welcome to today’s episode of Ansible Pilot.

Ansible Vault

  • Included in Ansible installation
  • ansible-vault command line

Ansible Vault is included in every Ansible installation for the most modern operating system. It includes all the software encryption and a handy command line utility (ansible-vault) to encrypt, modify, change passwords or decrypt files. The encryption of the Ansible Vault files is strong and relies on the AES256 cipher.

Playbook

Use Ansible Vault in Ansible Playbook

I will show you how to use Ansible Vault in Ansible Playbook to store passwords. This example uses a simple playbook that displays on screen a variable and one Ansible vault to store the variable encrypted on disk. In the real world, you can use the variable with any Ansible module without printing on the screen.

code without Vault

  • playbook_without_vault.yml
---
- name: Playbook without Vault
  hosts: all
  vars:
    mypassword: mysupersecretpassword
  tasks:
    - name: print variable
      ansible.builtin.debug:
        var: mypassword

execution without Vault

$ ansible-playbook -i inventory playbook_without_vault.yml 

PLAY [Playbook without Vault] ***********************************************************

TASK [Gathering Facts] ******************************************************************
[WARNING]: Platform darwin on host  demo.example.com is using the discovered Python interpreter
at /opt/homebrew/bin/python3.10, but future installation of another Python interpreter
could change the meaning of that path. See https://docs.ansible.com/ansible-
core/2.13/reference_appendices/interpreter_discovery.html for more information.
ok: [ demo.example.com]

TASK [print variable] *******************************************************************
ok: [ demo.example.com] => {
    "mypassword": "mysupersecretpassword"
}

PLAY RECAP ******************************************************************************
 demo.example.com                  : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

code with Vault

  • playbook_with_vault.yml
---
- name: Playbook with Vault
  hosts: all
  tasks:
    - name: include vault
      ansible.builtin.include_vars:
        file: mypassword.yml

    - name: print variable
      ansible.builtin.debug:
        var: mypassword
  • mypassword.yml
$ANSIBLE_VAULT;1.1;AES256
35623739386664386238326639623130343635396432393037383666306431623833666266623730
3431326532383363303333336636366338313730613733360a616466373932623131626632613737
66326237653963613031326464353066346161666265623939643235396563646236613566643230
3630393737373765370a613331363034613233613339666334626362363063313738653334333863
34643466653963363338343434643865353536313934626335653239363763626134346433633738
6461383632663566313664666232636135643631663936633966

execution with Vault

$ ansible-playbook -i inventory --ask-vault-password playbook_with_vault.yml
Vault password: 

PLAY [Playbook with Vault] **************************************************************

TASK [Gathering Facts] ******************************************************************
ok: [ demo.example.com]

TASK [include vault] ********************************************************************
ok: [ demo.example.com]

TASK [print variable] *******************************************************************
ok: [ demo.example.com] => {
    "mypassword": "mysupersecretpassword"
}

PLAY RECAP ******************************************************************************
 demo.example.com                  : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

execution with Vault (password forget)

$ ansible-playbook -i inventory playbook_with_vault.yml 

PLAY [Playbook with Vault] **************************************************************

TASK [Gathering Facts] ******************************************************************
ok: [ demo.example.com]

TASK [include vault] ********************************************************************
fatal: [ demo.example.com]: FAILED! => {"ansible_facts": {}, "ansible_included_var_files": [], "changed": false, "message": "Attempting to decrypt but no vault secrets found"}

PLAY RECAP ******************************************************************************
 demo.example.com                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Conclusion

Now you know how to use Ansible Vault in Ansible Playbook.

Subscribe to the YouTube channel, Medium, and Website, X (formerly Twitter) to not miss the next episode of the Ansible Pilot.

Academy

Learn the Ansible automation technology with some real-life examples in my Udemy 300+ Lessons Video Course.

BUY the Complete Udemy 300+ Lessons Video Course

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

BUY the Complete PDF BOOK to easily Copy and Paste the 250+ Ansible code

Want to keep this project going? Please donate

Patreon Buy me a Pizza