Ansible vault example
New in Ansible 1.5, “Vault” is a feature of ansible that allows keeping sensitive data such as passwords or keys in encrypted files, rather than as plaintext in your playbooks or roles. These vault files can then be distributed or placed in source control. To enable this feature, a command line tool, ansible-vault is used to edit files, and a command line flag –ask-vault-pass or –vault-password-file is used. Alternately, you may specify the location of a password file or command Ansible to always prompt for the password in your ansible.cfg file. These options require no command line flag usage.
- ansible > 1.5
- inventory file
- host_vars or group_vars
- ansible directory best practices structure
first we need to create an inventory file that can be used by ansible with host_vars or group_vars. For this example we are going to use localhost aka 127.0.0.1 as test host. please ensure ssh is enabled on this host.
[localhost] 127.0.0.1 [vault-test] 127.0.0.1
for this example we need to create a file in the directory
./ansible/group_vars, the file must have the name of the group in the inventory file. in this case we create the file
# insecure version vi group_vars/vault-test.yml ansible_user: <your user account> ansible_ssh_pass: <your user password> ansible_become_pass: <your user password> press: ESC :wq ENTER
Encyption of the ansible group_vars file
In the group_vars/vault-test file all user credentials are in plain text. This is not recommended, therefor we can use ansible-vault to encrypt these files
# create large random password for ansible-vault openssl rand -base64 2048 > ansible-vault.pass # lets encrypt the group_vars/vault-test file cd group_vars ansible-vault encrypt vault-test.yml --vault-password-file=../ansible-vault.pass
Running ansible with encrypte vault files
When we encrypt a host_vars, group_vars file or playbook you need to run ansible with the option
# running ansible adhoc for update a debian system ansible -i inventory vault-test --vault-password-file=ansible-vault.pass \ -b -m apt -a "update_cache=yes upgrade=safe" # what does it do: # -i inventory -> provides the inventory file # vault-test -> group that we are going to run ansible on (127.0.0.1) # --vault-password-file= -> location of the vault password file # -b -> force become (sudo) # -m apt -> use module apt # -a "...." -> arguments for module apt
you could directly create encrypted file with ansible-vault then you need to enter a password if you use this methode you need to invoke ansible with
also it is not recommended to store the vault password file in the ansible directory it is better to store it on a secure location with minimal system permissions (0400 or 0600).