Ansible Vault
What is Ansible Vault?
Ansible is a configuration management tool. While working with Ansible, we can create various playbooks, inventory files, variable files, etc. Some of the files contain sensitive and important data like usernames and passwords. Ansible provides a feature named Ansible Vault that prevents this data from being exposed. It keeps passwords and other sensitive data in an encrypted file rather than in plain text files. It provides password-based authentication.
Ansible Vault performs various operations. Specifically, it can
Create an encrypted file
Decrypt a file
Encrypt a file
View an encrypted file without breaking the encryption
Edit an encrypted file
Generate or reset the encrypted key
Create an encrypted file
Useansible-vault create command to create the encrypted file.
[user1@controller demo-vault]$ ansible-vault create secret-playbook.yaml
New Vault password:
Confirm New Vault password:After typing this command, it will ask for a password, this password is for vault password and will be used later.
---
#sample playbook to test vault secret-playbook.yaml
- hosts: localhost
become: yes
vars:
- ansible_sudo_pass: Srv@123?
tasks:
- name: install httpd
yum: name=httpd state=latestmake user1 sudoer as we are working on localhost
usermod –aG wheel UserName
Lets check that the file has been encrypted, using cat command:
Decrypting a file
The ansible-vault decrypt command is used to decrypt the encrypted file
Encrypting a file
If you want to encrypt an already existing file which is unencrypted use ansible-vault encrypt command:
check the result using cat secret-playbook.yaml command.
Decrypt a running playbook
Prior to Ansible 2.4, decrypting files during run time required the use of the --ask-vault-pass parameter as shown with either ansible or ansible-playbook commands:
However, that has been deprecated. Since Ansible 2.4 the standard method of prompting for a password is to utilize the --vault-id option as shown
The @prompt will prompt for the password.
A simple trick to avoid being prompted for a password every time you are decrypting files during runtime is to store the vault password in a file.
Prior to Ansible 2.4 the way to achieve this was the use of the –vault-password-file parameter to specify the path to the file that contains the stored password.
However, just like the --ask-vault-pass option, the option --vault-password-file has been deprecated to pave the way for the --vault-id option.
It is not recommended to store passwords in plain text because if anybody gets a hold of the playbook file, your security can be compromised. You are therefore presented with 2 options:
to encrypt the entire file
or encrypt the value of the variable.
Encrypt the value of the variable
Apart from encrypting an entire playbook, ansible-vault also gives you the ability to encrypt variables only. In most cases these are variables bearing highly confidential & sensitive information such as passwords and API keys.
To encrypt a variable, use the encrypt_string option :
The output above indicates that the password has been encrypted with AES 256 encryption. From here, copy the entire encrypted code from !vault | . Head out to the playbook file and delete the plaintext password value and paste the encrypted value as shown.
Save and exit the file. Now run the playbook and verify whether it will still display the value of the password stored in the my_secret variable.
The output above shows that we succeeded in encrypting the variable.
View an Encrypted File
To have a peek at an encrypted file, use ansible-vault view command:
Editing the encrypted file
If the file is encrypted and changes are required, use the edit command.
Reset Ansible vault Password
Also, we can reset or change the Vault’s password. This is done using the rekey option:
and it is done.
.
.
.
https://www.redhat.com/sysadmin/introduction-ansible-vault
https://www.linuxtechi.com/use-ansible-vault-secure-sensitive-data/
.
Last updated
Was this helpful?