Use Ansible Vault in Ansbile Playbook - ansible vault
How to use an Ansible Vault in an Ansible Playbook to store a password variable encrypted on disk.
November 13, 2022
How to use an Ansible Vault in an Ansible Playbook?
How to use an Ansible Vault to Protect Sensitive Data such as passwords, access keys, etc. I will show you a live demo with some simple Ansible code. I’m Luca Berton, and welcome to today’s episode of Ansible Pilot.
Ansible Vault
- Included in Ansible installation
ansible-vaultcommand line
Ansible Vault is included in every Ansible installation for the most modern operating system.
It includes all the software encryption and a handy command line utility (ansible-vault) to encrypt, modify, change passwords or decrypt files.
The encryption of the Ansible Vault files is strong and relies on the AES256 cipher.
Links
The Best Resources For Ansible
Certifications
The Linux Foundation Linux Performance Tuning - Build a broad toolkit to optimize Linux performance from the kernel up
Coursera Pro - Unlimited access to 7,000+ world-class courses, hands-on projects, and job-ready certificate programs—all included in your subscription
Video Course
Printed Book
Ansible For VMware by Examples
Ansible for Kubernetes by Example
Hands-on Ansible Automation
Red Hat Ansible Automation Platform
eBooks
Ansible by Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
Ansible Cookbook: A Comprehensive Guide to Unleashing the Power of Ansible via Best Practices, Troubleshooting, and Linting Rules with Luca Berton
Terraform By Example: A Practical Approach for Beginners to Learn Cloud Infrastructure with Terraform
Ansible For Windows By Examples: 50+ Automation Examples For Windows System Administrator And DevOps
Ansible For Linux by Examples: 100+ Automation Examples For Linux System Administrator and DevOps
Ansible Linux Filesystem By Examples: 40+ Automation Examples on Linux File and Directory Operation for Modern IT Infrastructure
Ansible For Security by Examples: 100+ Automation Examples to Automate Security and Verify Compliance for IT Modern Infrastructure
Ansible Tips and Tricks: 10+ Ansible Examples to Save Time and Automate More Tasks
Ansible Linux Users & Groups By Examples: 20+ Automation Examples on Linux Users and Groups Operation for Modern IT Infrastructure
Ansible For PostgreSQL by Examples: 10+ Examples To Automate Your PostgreSQL database
Ansible For Amazon Web Services AWS By Examples: 10+ Examples To Automate Your AWS Modern Infrastructure
Ansible Automation Platform By Example: A step-by-step guide for the most common user scenarios
demo
Use Ansible Vault in Ansible Playbook
I will show you how to use Ansible Vault in Ansible Playbook to store passwords. This example uses a simple playbook that displays on screen a variable and one Ansible vault to store the variable encrypted on disk. In the real world, you can use the variable with any Ansible module without printing on the screen.
code without Vault
- playbook_without_vault.yml
---
- name: Playbook without Vault
hosts: all
vars:
mypassword: mysupersecretpassword
tasks:
- name: print variable
ansible.builtin.debug:
var: mypassword
execution without Vault
$ ansible-playbook -i inventory playbook_without_vault.yml
PLAY [Playbook without Vault] ***********************************************************
TASK [Gathering Facts] ******************************************************************
[WARNING]: Platform darwin on host demo.example.com is using the discovered Python interpreter
at /opt/homebrew/bin/python3.10, but future installation of another Python interpreter
could change the meaning of that path. See https://docs.ansible.com/ansible-
core/2.13/reference_appendices/interpreter_discovery.html for more information.
ok: [ demo.example.com]
TASK [print variable] *******************************************************************
ok: [ demo.example.com] => {
"mypassword": "mysupersecretpassword"
}
PLAY RECAP ******************************************************************************
demo.example.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
code with Vault
- playbook_with_vault.yml
---
- name: Playbook with Vault
hosts: all
tasks:
- name: include vault
ansible.builtin.include_vars:
file: mypassword.yml
- name: print variable
ansible.builtin.debug:
var: mypassword
- mypassword.yml
$ANSIBLE_VAULT;1.1;AES256
35623739386664386238326639623130343635396432393037383666306431623833666266623730
3431326532383363303333336636366338313730613733360a616466373932623131626632613737
66326237653963613031326464353066346161666265623939643235396563646236613566643230
3630393737373765370a613331363034613233613339666334626362363063313738653334333863
34643466653963363338343434643865353536313934626335653239363763626134346433633738
6461383632663566313664666232636135643631663936633966
execution with Vault
$ ansible-playbook -i inventory --ask-vault-password playbook_with_vault.yml
Vault password:
PLAY [Playbook with Vault] **************************************************************
TASK [Gathering Facts] ******************************************************************
ok: [ demo.example.com]
TASK [include vault] ********************************************************************
ok: [ demo.example.com]
TASK [print variable] *******************************************************************
ok: [ demo.example.com] => {
"mypassword": "mysupersecretpassword"
}
PLAY RECAP ******************************************************************************
demo.example.com : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
execution with Vault (password forget)
$ ansible-playbook -i inventory playbook_with_vault.yml
PLAY [Playbook with Vault] **************************************************************
TASK [Gathering Facts] ******************************************************************
ok: [ demo.example.com]
TASK [include vault] ********************************************************************
fatal: [ demo.example.com]: FAILED! => {"ansible_facts": {}, "ansible_included_var_files": [], "changed": false, "message": "Attempting to decrypt but no vault secrets found"}
PLAY RECAP ******************************************************************************
demo.example.com : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Recap
Now you know how to use Ansible Vault in Ansible Playbook.
Subscribe to the YouTube channel, Medium, and Website, X (formerly Twitter) to not miss the next episode of the Ansible Pilot.Academy
Learn the Ansible automation technology with some real-life examples in my
My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
Donate
Want to keep this project going? Please donate
