Skip to content

Instantly share code, notes, and snippets.

@bretlinne

bretlinne/ansible-vault.md

Forked from hvanderlaan/ansible-vault.md
Created October 24, 2017 05:22
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bretlinne/be479cd8a381c21a50d33d64f58fc2b3 to your computer and use it in GitHub Desktop.
Save bretlinne/be479cd8a381c21a50d33d64f58fc2b3 to your computer and use it in GitHub Desktop.
Download ZIP
Ansible-vault example
Raw
ansible-vault.md

Ansible vault example

New in Ansible 1.5, “Vault” is a feature of ansible that allows keeping sensitive data such as passwords or keys in encrypted files, rather than as plaintext in your playbooks or roles. These vault files can then be distributed or placed in source control. To enable this feature, a command line tool, ansible-vault is used to edit files, and a command line flag –ask-vault-pass or –vault-password-file is used. Alternately, you may specify the location of a password file or command Ansible to always prompt for the password in your ansible.cfg file. These options require no command line flag usage.

Requirements

inventory file

first we need to create an inventory file that can be used by ansible with host_vars or group_vars. For this example we are going to use localhost aka 127.0.0.1 as test host. please ensure ssh is enabled on this host.

[localhost]
127.0.0.1

[vault-test]
127.0.0.1

group_vars

for this example we need to create a file in the directory ./ansible/group_vars, the file must have the name of the group in the inventory file. in this case we create the file vault-test.yml.

# insecure version
vi group_vars/vault-test.yml
  ansible_user: <your user account>
  ansible_ssh_pass: <your user password>
  ansible_become_pass: <your user password>
press: ESC :wq ENTER

Encyption of the ansible group_vars file

In the group_vars/vault-test file all user credentials are in plain text. This is not recommended, therefor we can use ansible-vault to encrypt these files

# create large random password for ansible-vault
openssl rand -base64 2048 > ansible-vault.pass

# lets encrypt the group_vars/vault-test file
cd group_vars
ansible-vault encrypt vault-test.yml --vault-password-file=../ansible-vault.pass

Running ansible with encrypte vault files

When we encrypt a host_vars, group_vars file or playbook you need to run ansible with the option --vault-password-file=

# running ansible adhoc for update a debian system
ansible -i inventory vault-test --vault-password-file=ansible-vault.pass \
        -b -m apt -a "update_cache=yes upgrade=safe"
  # what does it do:
  # -i inventory -> provides the inventory file
  # vault-test   -> group that we are going to run ansible on (127.0.0.1)
  # --vault-password-file= -> location of the vault password file
  # -b           -> force become (sudo)
  # -m apt       -> use module apt
  # -a "...."    -> arguments for module apt

NOTES:

you could directly create encrypted file with ansible-vault then you need to enter a password if you use this methode you need to invoke ansible with --ask-vault-pass also it is not recommended to store the vault password file in the ansible directory it is better to store it on a secure location with minimal system permissions (0400 or 0600).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment