Ansible Vault

What is Ansible Vault?

Ansible is a configuration management tool. While working with Ansible, we can create various playbooks, inventory files, variable files, etc. Some of the files contain sensitive and important data like usernames and passwords. Ansible provides a feature named Ansible Vault that prevents this data from being exposed. It keeps passwords and other sensitive data in an encrypted file rather than in plain text files. It provides password-based authentication.
Ansible Vault performs various operations. Specifically, it can
  • Create an encrypted file
  • Decrypt a file
  • Encrypt a file
  • View an encrypted file without breaking the encryption
  • Edit an encrypted file
  • Generate or reset the encrypted key

Create an encrypted file

Useansible-vault create command to create the encrypted file.
1
[[email protected] demo-vault]$ ansible-vault create secret-playbook.yaml
2
New Vault password:
3
Confirm New Vault password:
Copied!
After typing this command, it will ask for a password, this password is for vault password and will be used later.
1
---
2
#sample playbook to test vault secret-playbook.yaml
3
4
- hosts: localhost
5
become: yes
6
vars:
7
- ansible_sudo_pass: [email protected]?
8
9
tasks:
10
- name: install httpd
11
yum: name=httpd state=latest
Copied!
make user1 sudoer as we are working on localhost usermod –aG wheel UserName
Lets check that the file has been encrypted, using cat command:
1
[[email protected] demo-vault]$ cat secret-playbook.yaml
2
$ANSIBLE_VAULT;1.1;AES256
3
36653530663931656132366133626365386535333264636262343036666333613439623866643138
4
3436393663653034306466356162623235326363616266380a623963316131613933633161353064
5
66333662636136356464313038326538336132666133653761393265323166393637653236393333
6
3831366364393335340a613739366539353434333738363937306137323966323935626366663634
7
62646433353337313831356138626531393562656264643734353531623537346464353230366566
8
36613839643366626364626635333866346134623431633365363164303131383830353033363332
9
64613066646665343264343361643434623131666232353733396434663232393763623932656339
10
36623461376561333836313761623035396564643630653461383531333762326464656162643031
11
65393238613035393839323632353633613964396230623332643261643761636239323732356463
12
62663735636663353864333439356666366261373839353630633839333366373231616163626638
13
61313565613261383037386461313863326332646163653831636133373064333863613331613561
14
65623431393864396534646461363135643532656637663838623337373631373336303533316530
15
62633237646339363962336564323332356431373632393433343266623233636466313562323463
16
3432316237646364636263303232623331633836363330666263
Copied!

Decrypting a file

The ansible-vault decrypt command is used to decrypt the encrypted file
1
[[email protected] demo-vault]$ ansible-vault decrypt secret-playbook.yaml
2
Vault password:
3
Decryption successful
Copied!
1
[[email protected] demo-vault]$ cat secret-playbook.yaml
2
---
3
#sample playbook to test vault secret-playbook.yaml
4
5
- hosts: localhost
6
become: yes
7
vars:
8
- ansible_sudo_pass: [email protected]?
9
10
tasks:
11
- name: install httpd
12
yum: name=httpd state=latest
Copied!

Encrypting a file

If you want to encrypt an already existing file which is unencrypted use ansible-vault encrypt command:
1
[[email protected] demo-vault]$ ansible-vault encrypt secret-playbook.yaml
2
New Vault password:
3
Confirm New Vault password:
4
Encryption successful
Copied!
check the result using cat secret-playbook.yaml command.

Decrypt a running playbook

1
[[email protected] demo-vault]$ ansible-playbook secret-playbook.yaml
2
ERROR! Attempting to decrypt but no vault secrets found
Copied!
Prior to Ansible 2.4, decrypting files during run time required the use of the --ask-vault-pass parameter as shown with either ansible or ansible-playbook commands:
1
[[email protected] demo-vault]$ vim /etc/resolv.conf
2
[[email protected] demo-vault]$ ansible-playbook secret-playbook.yaml --ask-vault-pass
3
Vault password:
4
5
PLAY [localhost] ************************************************************************************************************************
6
7
TASK [Gathering Facts] ******************************************************************************************************************
8
ok: [localhost]
9
10
TASK [install httpd] ********************************************************************************************************************
11
changed: [localhost]
12
13
PLAY RECAP ******************************************************************************************************************************
14
localhost : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Copied!
However, that has been deprecated. Since Ansible 2.4 the standard method of prompting for a password is to utilize the --vault-id option as shown
1
[[email protected] demo-vault]$ ansible-playbook secret-playbook.yaml --vault-id @prompt
2
Vault password (default):
3
4
PLAY [localhost] ************************************************************************************************************************
5
6
TASK [Gathering Facts] ******************************************************************************************************************
7
ok: [localhost]
8
9
TASK [install httpd] ********************************************************************************************************************
10
ok: [localhost]
11
12
PLAY RECAP ******************************************************************************************************************************
13
localhost : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Copied!
The @prompt will prompt for the password.
A simple trick to avoid being prompted for a password every time you are decrypting files during runtime is to store the vault password in a file.
1
[[email protected] demo-vault]$ cat password.txt
Copied!
Prior to Ansible 2.4 the way to achieve this was the use of the –vault-password-file parameter to specify the path to the file that contains the stored password.
1
[[email protected] demo-vault]$ ansible-playbook secret-playbook.yaml --vault-password-file password.txt
2
3
PLAY [localhost] ************************************************************************************************************************
4
5
TASK [Gathering Facts] ******************************************************************************************************************
6
ok: [localhost]
7
8
TASK [install httpd] ********************************************************************************************************************
9
ok: [localhost]
10
11
PLAY RECAP ******************************************************************************************************************************
12
localhost : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Copied!
However, just like the --ask-vault-pass option, the option --vault-password-file has been deprecated to pave the way for the --vault-id option.
1
[[email protected] demo-vault]$ ansible-playbook secret-playbook.yaml --vault-id password.txt
2
3
PLAY [localhost] ************************************************************************************************************************
4
5
TASK [Gathering Facts] ******************************************************************************************************************
6
ok: [localhost]
7
8
TASK [install httpd] ********************************************************************************************************************
9
ok: [localhost]
10
11
PLAY RECAP ******************************************************************************************************************************
12
localhost : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Copied!
It is not recommended to store passwords in plain text because if anybody gets a hold of the playbook file, your security can be compromised. You are therefore presented with 2 options:
  • to encrypt the entire file
  • or encrypt the value of the variable.

Encrypt the value of the variable

Apart from encrypting an entire playbook, ansible-vault also gives you the ability to encrypt variables only. In most cases these are variables bearing highly confidential & sensitive information such as passwords and API keys.
To encrypt a variable, use the encrypt_string option :
1
[[email protected] demo-vault]$ ansible-vault encrypt_string '[email protected]?' --name 'ansible_sudo_pass'
2
New Vault password:
3
Confirm New Vault password:
4
ansible_sudo_pass: !vault |
5
$ANSIBLE_VAULT;1.1;AES256
6
32666633333939326632336237663262383465663232666633373263393939623439386663643336
7
3638373263343738613466633765383836353739383733650a643661623131633861396262613861
8
33663035363334653866623165333337623566376165663739313332333033313939333739343730
9
6135653863653962350a633161396262353462353636663566656433663632313264373037653562
10
3233
11
Encryption successful
Copied!
The output above indicates that the password has been encrypted with AES 256 encryption. From here, copy the entire encrypted code from !vault | . Head out to the playbook file and delete the plaintext password value and paste the encrypted value as shown.
1
---
2
#sample playbook to test vault unenc-playbook.yaml
3
4
- hosts: localhost
5
become: yes
6
7
vars:
8
- ansible_sudo_pass: !vault |
9
$ANSIBLE_VAULT;1.1;AES256
10
32666633333939326632336237663262383465663232666633373263393939623439386663643336
11
3638373263343738613466633765383836353739383733650a643661623131633861396262613861
12
33663035363334653866623165333337623566376165663739313332333033313939333739343730
13
6135653863653962350a633161396262353462353636663566656433663632313264373037653562
14
3233
15
tasks:
16
- name: install httpd
17
yum: name=httpd state=latest
18
19
- name: print a secure variable
20
debug:
21
var: ansible_sudo_pass
Copied!
Save and exit the file. Now run the playbook and verify whether it will still display the value of the password stored in the my_secret variable.
1
[[email protected] demo-vault]$ ansible-playbook unenc-playbook.yaml --ask-vault-pass
2
Vault password:
3
4
PLAY [localhost] ************************************************************************************************************************
5
6
TASK [Gathering Facts] ******************************************************************************************************************
7
ok: [localhost]
8
9
TASK [install httpd] ********************************************************************************************************************
10
ok: [localhost]
11
12
TASK [print a secure variable] **********************************************************************************************************
13
ok: [localhost] => {
14
"ansible_sudo_pass": "[email protected]?"
15
}
16
17
PLAY RECAP ******************************************************************************************************************************
18
localhost : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
19
Copied!
The output above shows that we succeeded in encrypting the variable.

View an Encrypted File

To have a peek at an encrypted file, use ansible-vault view command:
1
[[email protected] demo-vault]$ ansible-vault view secret-playbook.yaml
2
Vault password:
3
---
4
#sample playbook to test vault secret-playbook.yaml
5
6
- hosts: localhost
7
become: yes
8
vars:
9
- ansible_sudo_pass: [email protected]?
10
11
tasks:
12
- name: install httpd
13
yum: name=httpd state=latest
Copied!

Editing the encrypted file

If the file is encrypted and changes are required, use the edit command.
1
[[email protected] demo-vault]$ ansible-vault edit secret-playbook.yaml
2
Vault password:
Copied!

Reset Ansible vault Password

Also, we can reset or change the Vault’s password. This is done using the rekey option:
1
[[email protected] demo-vault]$ ansible-vault rekey secret-playbook.yaml
2
Vault password:
3
New Vault password:
4
Confirm New Vault password:
5
Rekey successful
Copied!
and it is done.
.
.
.
.
Last modified 3mo ago