Ansible Vault is one of the most powerful features provided by Ansible. It is very useful when we are dealing with secrets, credentials, SSH keys or any other sensitive information in our playbook or role.
Let’s say you want to add credentials to your playbook for some purpose and you don’t want your password to be present in plain text. Here, you can use Ansible Vault to mask your original password. The main advantage is that this will not be visible to other users.
We will see how we can implement this. Hope, you got some idea about “Why we need Ansible Vault?”.
Encrypting file using Ansible Vault command:
We can use “ansible-vault” command to create encrypted files.
e.g.-ansible-vault create your_name_of_playbook.yml
When you run the above command, it will ask you to provide a password which will be used later to decrypt this file. This will create a new file and open it in a default text editor. Here, you can enter the secrets that you want to encrypt. After adding contents, save and close. You can see contents are encrypted.
Editing the encrypted file:
we can modify the contents of the encrypted file using “ansible-vault edit “ command. Let’s use one example.
e.g.- ansible-vault edit your_name_of_playbook.yml
When you run this command, it will ask for the vault password that you have given when encrypting this file. Enter the correct vault password, it will then decrypt the file temporarily for modification of contents. Save and exit the editor. After closing the editor, it will automatically re-encrypt the file.
Encrypting existing files:
You can also encrypt existing files using “ansible-vault encrypt” command.
e.g.- ansible-vault encrypt your_name_of_playbook.yml
It will ask you to set a new vault password which will be used while decrypting the file.
Note: you can also encrypt multiple files at once.
ansible-vault encrypt file1.yml file2.yml file3.yml
Now, if you want to decrypt the file, replace “encrypt” with “decrypt” and the rest part will be the same.
e.g.- ansible-vault decrypt your_name_of_playbook.yml
Here, it will ask for the same vault password that you have given while encrypting.
So far we discussed, how to encrypt, decrypt, and create files. Now, what if we want to change “vault password”.
are you excited to know about it? !!! :)
In Ansible, Changing the vault password is called “rekeying”. If you guessed the command will start using the word “rekey” then you are correct.
So, the command is “ansible-vault rekey”.
e.g.- ansible-vault rekey your_name_of_playbook.yml
It will ask for the current vault password. After that, you will give a new vault password as per your choice and re-confirm it. That’s all, you are all set.
Now, we have created encrypted files and you are using those files in the main playbook. But, how we will use it in our main playbook??
It is very important to provide a vault password for encrypted files while running the playbook otherwise playbook execution will fail.
Let’s see the plan:
1. Pass the vault password:
e.g.- ansible-playbook main_playbook.yml — —ask-vault-pass
It will ask for a vault password for an encrypted file used in the main playbook.
2. Pass the file having the vault password in it:
e.g.- ansible-playbook main_playbook.yml — -vault-id path_of_vault_password_file
3. Pass using vault_password_file: for this, you have to mention the path of the vault password containing the file in “ansible.cfg”
[defaults]
vault_password_file = path_of_vault_password_file
then, you can simply run “ansible-playbook mainplaybook.yml”. It will automatically find the path of the vault password file.
Note: what’s the difference in methods 2) & 3) ???
Well, it’s just a matter of interaction(method 2) and non-interaction(method 3) while executing the playbook.
I will explain “vault id significance” in the next article.
Hope you enjoyed it. Don’t forget to like it.
Top comments (2)
Probably messed up by the formatting, but
main_playbook.yml — — ask-vault-passshould actually bemain_playbook.yml --ask-vault-pass.yes, you are right. I have modified it. Thank you Simon