How to use an Ansible Vault in an Ansible Playbook?
How to use an Ansible Vault to Protect Sensitive Data such as passwords, access keys, etc.
I will show you a live Playbook with some simple Ansible code.
I'm Luca Berton, and welcome to today's episode of Ansible Pilot.
Ansible Vault
- Included in Ansible installation
ansible-vaultcommand line
Ansible Vault is included in every Ansible installation for the most modern operating system.
It includes all the software encryption and a handy command line utility (ansible-vault) to encrypt, modify, change passwords or decrypt files.
The encryption of the Ansible Vault files is strong and relies on the AES256 cipher.
Links
- https://docs.ansible.com/ansible/latest/user_guide/vault.html
Playbook
Use Ansible Vault in Ansible Playbook
I will show you how to use Ansible Vault in Ansible Playbook to store passwords.
This example uses a simple playbook that displays on screen a variable and one Ansible vault to store the variable encrypted on disk.
In the real world, you can use the variable with any Ansible module without printing on the screen.
code without Vault
- playbook_without_vault.yml
``yaml
---
- name: Playbook without Vault
hosts: all
vars:
mypassword: mysupersecretpassword
tasks:
- name: print variable
ansible.builtin.debug:
var: mypassword
`
execution without Vault
`bash
$ ansible-playbook -i inventory playbook_without_vault.yml
PLAY [Playbook without Vault] *
TASK [Gathering Facts]
[WARNING]: Platform darwin on host demo.example.com is using the discovered Python interpreter
at /opt/homebrew/bin/python3.10, but future installation of another Python interpreter
could change the meaning of that path. See https://docs.ansible.com/ansible-
core/2.13/reference_appendices/interpreter_discovery.html for more information.
ok: [ demo.example.com]
TASK [print variable] *
ok: [ demo.example.com] => {
"mypassword": "mysupersecretpassword"
}
PLAY RECAP **
demo.example.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
`
code with Vault
- playbook_with_vault.yml
``bash
---
- name: Playbook with Vault
h