Ansible Vaults

Storing passwords in plain text within Ansible Playbooks poses a significant security risk. To mitigate this, it’s best to store sensitive variable values, such as passwords, in an Ansible Vault. Utilizing Ansible Vault enhances security by encrypting sensitive data, safeguarding it from unauthorized access or exposure.

Creating the Vault

A Vault can be created using the ‘ansible-vault’ command:

ansible-vault create vault.yml

You are asked to provide a password for the Vault. This password is used to encrypt the Vaults contents and to access is later.

Adding variables to the Vault

After the Vault is created, you can add information to it by opening it using your favorite editor (nano in this example):

EDITOR=nano ansible-vault edit vault.yml

Now the Vault is open you can add variables with sensitive information to it. When the editor is closed, the information in encrypted and safely stored.

Example

Assume you have an variable my_password: P@ssw0rd in your playbook, that you want to store in a Vault.

Open the Vault and add the variable, but this time add vault_ to the name, like so: vault_my_password: P@ssw0rd. Save the file. The variable is now securely stored and can be removed from the playbook.

Using variables stored in a Vault

Now we have the variable stored in the Vault we must adjust the playbook accordingly. In this case we must edit the ‘group_vars/example/main.yml’, this can be any location that holds the variables for your project.

Add the following:

my_password: "{{ vault_my_password }}"

Previously the my_password variable showed the plain text password, but now it points to the variable stored in the Ansible Vault. The password is read during runtime.

Running an Ansible Playbook, referencing a Vault

Vaults are found using Ansible’s naming and location scheme. That means that when you place a Vault in ‘/group_vars/example’, it will be found when you run a playbook against the ‘example’ host group.

When using the Vault with ansible-playbook, you can specify the password for the vault with the switch --ask-vault-password.

Example

ansible-playbook main.yml --ask-vault-password

Leave a Comment