Introduction:
In this tutorial we will explore Ansible Vault which is a feature of ansible that comes pre-installed. We will discuss what Ansible Vault is, and how it can be used for effective management of information such as passwords, API keys, files and other sensitive data.
Prerequisites:
You need to have Ansible installed to be able to follow along with this tutorial. If you don’t have Ansible installed yet follow this tutorial on how to install Ansible on Ubuntu 20.04.
Proceed with this guide once your server has been configured with the above requirements.
Table of Contents
- What is Ansible
- What is Ansible Vault
- How to use Ansible Vault
- Best Practices for Using Ansible Vault
- Conclusion
What is Ansible
Ansible is an open-source automation tool that simplifies IT tasks such as configuration management, application deployment, and orchestration by allowing users to automate repetitive tasks using simple, declarative YAML-based scripts called playbooks.
What is Ansible Vault
Ansible Vault is a feature of ansible which provides a secure way for managing sensitive information such as API keys, password or even private data within your playbook or file. Ansible Vault uses the AES256 algorithm which is a symmetric form of encryption that uses a single key (or password ) for encrypting and decrypting data unlike the asymmetric that uses a private and public key pair.
Ansible Vault has several arguments used to manipulate files such as create, edit, view, encrypt, decrypt, rekey, encrypt_string, decrypt_string
How to use Ansible Vault
The ansible-vault command acts as the primary interface for managing encrypted content within Ansible. It facilitates the encryption of files initially and subsequently enables operations such as viewing, editing or decrypting the encrypted data.
How to create a new encrypted file
Use the ansible-vault create command, followed by the name of the file to create a new encrypted file. This command will prompt you to enter and confirm the password for the newly created file.
ansible-vault create secret.yml
Your new file will open in your default text editor where you can type your secret texts and save.
Note: You can access your decrypted texts by providing the password or pass key you provided during encryption process.
How to encrypt an existing file
Use the ansible-vault encrypt command, followed by the name of the file, to encrypt an already existing file
ansible-vault encrypt file.txt
How to view an encrypted file
Use the ansible-vault viewcommand, followed by the name of the file
ansible-vault view secret.yml
How to edit an encrypted file
Use the ansible-vault edit command, followed by the name of the file
ansible-vault edit secret.yml
How to decrypt an encrypted file
Use the ansible-vault decrypt command, followed by the name of the file
ansible-vault decrypt file.txt
How to change the password of an encrypted file
Use the ansible-vault rekey command, followed by the name of the file
ansible-vault rekey secret.yml
You will be prompted to enter the current password of the file and afterwards you can enter and confirm the new password
Saving your password to a file
Saving your password to a file (make sure the file is not tracking by version control) and specifying the path to the file is also another way of performing different operations without typing the password always on the terminal prompt.
This password should be auto generated by a password generator software and not hard coded to increase security.
Random Password Generator
This key should be kept private and should not be committed to version control
How to decrypt an encrypted file during playbook run-time
Let’s say for instance you encrypt your inventory/hosts file that has the IP address of your slave servers, you can run your playbook without decrypting first. Just specify the path to your password file in your command or input the password before playbook runs
— — ask-vault-pass: This will prompt you to input your password
ansible-playbook -i ../hosts main.yml --key-file ~/.ssh/ansible --ask-vault-pass
- - vault-password-file: This will use the password file directly without asking for password
ansible-playbook -i ../hosts main.yml --key-file ~/.ssh/ansible --vault-password-file ~/ansible_vault/vault_pass.txt
Using encrypted variables in playbook
You can access an encrypted variable file using the normal method by including your variable file in your playbook
---
- name: Configure Servers (Ubuntu and CentOS)
hosts: all
vars_files:
- secret_vars.yml
become: true
tasks:
- name: Update Repository Index (Ubuntu and CentOS)
package:
update_cache: yes
changed_when: false
- name: Clone github repo
git:
repo: "{{ github_repo }}"
dest: "/home/vagrant/test"
force: yes
Best Practices for Using Ansible Vault
- Use Strong Passwords: Ensure passwords are complex and secure.
- Version Control: Track encrypted files in version control but never push your password file to it
- Backup Encrypted Files: Prevent data loss with regular backups.
- Password Access: Regularly audit who has access to view your password file.. you can use the chmod to set permissions
Conclusion
Ansible Vault is a useful tool for managing secret information stored in files by encryption and decryption. To learn more about ansible vault visit the official ansible-vault documentation page.
Top comments (0)