New in Ansible 1.5, “Vault” is a feature of ansible that allows keeping sensitive data such as passwords or keys in encrypted files, rather than as plaintext in your playbooks or roles. These vault files can then be distributed or placed in source control. To enable this feature, a command line tool, ansible-vault is used to edit files, and a command line flag –ask-vault-pass or –vault-password-file is used. Alternately, you may specify the location of a password file or command Ansible to always prompt for the password in your ansible.cfg file. These options require no command line flag usage.
- ansible > 1.5
- openssl
- inventory file
- host_vars or group_vars
- ansible directory best practices structure
first we need to create an inventory file that can be used by ansible with host_vars or group_vars. For this example we are going to use localhost aka 127.0.0.1 as test host. please ensure ssh is enabled on this host.
[localhost]
127.0.0.1
[vault-test]
127.0.0.1
for this example we need to create a file in the directory ./ansible/group_vars
, the file must have the name of the group in the inventory file. in this case we create the file vault-test.yml
.
# insecure version
vi group_vars/vault-test.yml
ansible_user: <your user account>
ansible_ssh_pass: <your user password>
ansible_become_pass: <your user password>
press: ESC :wq ENTER
In the group_vars/vault-test file all user credentials are in plain text. This is not recommended, therefor we can use ansible-vault to encrypt these files
# create large random password for ansible-vault
openssl rand -base64 2048 > ansible-vault.pass
# lets encrypt the group_vars/vault-test file
cd group_vars
ansible-vault encrypt vault-test.yml --vault-password-file=../ansible-vault.pass
When we encrypt a host_vars, group_vars file or playbook you need to run ansible with the option --vault-password-file=
# running ansible adhoc for update a debian system
ansible -i inventory vault-test --vault-password-file=ansible-vault.pass \
-b -m apt -a "update_cache=yes upgrade=safe"
# what does it do:
# -i inventory -> provides the inventory file
# vault-test -> group that we are going to run ansible on (127.0.0.1)
# --vault-password-file= -> location of the vault password file
# -b -> force become (sudo)
# -m apt -> use module apt
# -a "...." -> arguments for module apt
you could directly create encrypted file with ansible-vault then you need to enter a password if you use this methode you need to invoke ansible with --ask-vault-pass
also it is not recommended to store the vault password file in the ansible directory it is better to store it on a secure location with minimal system permissions (0400 or 0600).