Ansible - Ansible-vault

> Infrastructure as code > Ansible

1 - About

ansible-vault is a command line utility that permits to add/get sensitive data (file or property value) into an encrypted format called a vault

Example of sensitive data:

When running a playbook, Ansible finds:

  • the sensitive variables from an encrypted file / string
  • and the other variables in a unencrypted file / string

Encrypted data can include

  • group_vars/ or host_vars inventory variables,
  • variables loaded by *include_vars* or *vars_files*, or variable files
  • variables passed at the command line via the *-e @file.yml* or *-e @file.json* option of ansible-playbook
  • Role variables and defaults are also included
  • Ansible tasks, handlers, and other objects because they are data
  • An individual task file

The vault id used with vault currently must be the same for all files you wish to use together at the same time.

Advertising

3 - Syntax

Usage: ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml]

encryption/decryption utility for Ansible data files

Options:
  --ask-vault-pass      ask for vault password
  -h, --help            show this help message and exit
  --new-vault-id=NEW_VAULT_ID
                        the new vault identity to use for rekey
  --new-vault-password-file=NEW_VAULT_PASSWORD_FILE
                        new vault password file for rekey
  --vault-id=VAULT_IDS  the vault identity to use
  --vault-password-file=VAULT_PASSWORD_FILES
                        vault password file
  -v, --verbose         verbose mode (-vvv for more, -vvvv to enable
                        connection debugging)
  --version             show program's version number and exit

 See 'ansible-vault <command> --help' for more information on a specific
command.

4 - Management

4.1 - Encrypt

When encrypting content one vault-id can be used.

4.1.1 - String

Encrypt a property value. See Ansible - Encrypt a property (password)

4.1.2 - File

ansible-vault encrypt

4.2 - Decrypt

4.2.1 - Decrypt-string

echo '<ansible vault string>' | tr -d ' ' | ansible-vault decrypt && echo

Example:

echo '$ANSIBLE_VAULT;1.1;AES256
36303034313162366666366461366537393831303836316230366330343139396432343663623466
6562373361623339356430326238663963393036313539390a363836383934626138306234373739
63633563353964336235633964383238623361636664303536663031343563623064303036653931
3235393235323162340a353132343233306431316163353337393331653534653663346234333234
34613639303366383061613638323733663639316430653433393064353563303530' | tr -d ' ' | ansible-vault decrypt --vault-id playbook_vault_pass_newenv.sh && echo
Advertising

4.3 - Run

4.3.1 - Password file

  • to use a password file dev-password for the label dev:
ansible-playbook --vault-id dev@dev-password site.yml
ansible-playbook --vault-password-file dev-password site.yml

Example

  • to use a password store in the text file /path/to/my/vault-password-file:
ansible-playbook --vault-id /path/to/my/vault-password-file site.yml

4.3.2 - Prompt

  • To prompt for the dev vault id
ansible-playbook --vault-id dev@prompt site.yml
# Prior to Ansible 2.4
ansible-playbook --ask-vault-pass site.yml

Example:

  • To prompt for a vault id password:
ansible-playbook --vault-id @prompt site.yml
Advertising

4.3.3 - executable script

To get the password from a vault password executable script my-vault-password.py:

ansible-playbook --vault-id my-vault-password.py

5 - Support

5.1 - ERROR! Decryption failed (no vault secrets were found that could decrypt) on - for -

Your vault passphrase is not the good one.

6 - Documentation / Reference