Ansible Pilot

Use Ansible Vault in Ansbile Playbook - ansible vault

How to use an Ansible Vault in an Ansible Playbook to store a password variable encrypted on disk.

November 13, 2022
Access the Complete Video Course and Learn Quick Ansible by 200+ Practical Lessons

How to use an Ansible Vault in an Ansible Playbook?

How to use an Ansible Vault to Protect Sensitive Data such as passwords, access keys, etc. I will show you a live demo with some simple Ansible code. I’m Luca Berton, and welcome to today’s episode of Ansible Pilot.

Ansible Vault

Ansible Vault is included in every Ansible installation for the most modern operating system. It includes all the software encryption and a handy command line utility (ansible-vault) to encrypt, modify, change passwords or decrypt files. The encryption of the Ansible Vault files is strong and relies on the AES256 cipher.

The Best Resources For Ansible

Video Course

Books

demo

Use Ansible Vault in Ansible Playbook

I will show you how to use Ansible Vault in Ansible Playbook to store passwords. This example uses a simple playbook that displays on screen a variable and one Ansible vault to store the variable encrypted on disk. In the real world, you can use the variable with any Ansible module without printing on the screen.

code without Vault

---
- name: Playbook without Vault
  hosts: all
  vars:
    mypassword: mysupersecretpassword
  tasks:
    - name: print variable
      ansible.builtin.debug:
        var: mypassword

execution without Vault

$ ansible-playbook -i inventory playbook_without_vault.yml 

PLAY [Playbook without Vault] ***********************************************************

TASK [Gathering Facts] ******************************************************************
[WARNING]: Platform darwin on host  demo.example.com is using the discovered Python interpreter
at /opt/homebrew/bin/python3.10, but future installation of another Python interpreter
could change the meaning of that path. See https://docs.ansible.com/ansible-
core/2.13/reference_appendices/interpreter_discovery.html for more information.
ok: [ demo.example.com]

TASK [print variable] *******************************************************************
ok: [ demo.example.com] => {
    "mypassword": "mysupersecretpassword"
}

PLAY RECAP ******************************************************************************
 demo.example.com                  : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

code with Vault

---
- name: Playbook with Vault
  hosts: all
  tasks:
    - name: include vault
      ansible.builtin.include_vars:
        file: mypassword.yml

    - name: print variable
      ansible.builtin.debug:
        var: mypassword
$ANSIBLE_VAULT;1.1;AES256
35623739386664386238326639623130343635396432393037383666306431623833666266623730
3431326532383363303333336636366338313730613733360a616466373932623131626632613737
66326237653963613031326464353066346161666265623939643235396563646236613566643230
3630393737373765370a613331363034613233613339666334626362363063313738653334333863
34643466653963363338343434643865353536313934626335653239363763626134346433633738
6461383632663566313664666232636135643631663936633966

execution with Vault

$ ansible-playbook -i inventory --ask-vault-password playbook_with_vault.yml
Vault password: 

PLAY [Playbook with Vault] **************************************************************

TASK [Gathering Facts] ******************************************************************
ok: [ demo.example.com]

TASK [include vault] ********************************************************************
ok: [ demo.example.com]

TASK [print variable] *******************************************************************
ok: [ demo.example.com] => {
    "mypassword": "mysupersecretpassword"
}

PLAY RECAP ******************************************************************************
 demo.example.com                  : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

execution with Vault (password forget)

$ ansible-playbook -i inventory playbook_with_vault.yml 

PLAY [Playbook with Vault] **************************************************************

TASK [Gathering Facts] ******************************************************************
ok: [ demo.example.com]

TASK [include vault] ********************************************************************
fatal: [ demo.example.com]: FAILED! => {"ansible_facts": {}, "ansible_included_var_files": [], "changed": false, "message": "Attempting to decrypt but no vault secrets found"}

PLAY RECAP ******************************************************************************
 demo.example.com                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Recap

Now you know how to use Ansible Vault in Ansible Playbook.

Subscribe to the YouTube channel, Medium, Website, Twitter, and Substack to not miss the next episode of the Ansible Pilot.

Academy

Learn the Ansible automation technology with some real-life examples in my

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

BUY the Complete PDF BOOK to easily Copy and Paste the 200+ Ansible code

Want to keep this project going? Please donate

Access the Complete Video Course and Learn Quick Ansible by 200+ Practical Lessons
Trustpilot
Follow me

Subscribe not to miss any new releases

FREE Top 10 Best Practices

Top 10 Best Practices of Ansible Automation: save time, reduce errors and stress