Ansible - Encrypt a property (password)

> Infrastructure as code > Ansible

1 - About

How to encrypt a string property with ansible-vault

Advertising

3 - Syntax

ansible-vault encrypt_string [--prompt] [options] string_to_encrypt

4 - Example

4.1 - With a executable passwordFile and without label

passwordFile.sh
#!/usr/bin/env bash
echo myVaultPassord
  • Encrypt with a Vault Id which is here only a password and no label
ansible_vault_the_secret.bash
ansible-vault encrypt_string --vault-id passwordFile.sh 'password' --name 'property_name'
output.yml
property_name: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          62386330373731643635353932343165306363336336373739316531366536323437396639313033
          6139356564646365303132373830623737356535663434350a613861646230343430396462333465
          38363831353565336537636633616438383230313237316133366631363932623632313236383262
          3238363861363133380a303030653165613538633731353065623366613162656166366563636238
          3533
Encryption successful

4.2 - With a executable password file and with label

With a executable password file and with vault label

passwordFile.sh
#!/usr/bin/env bash
echo myVaultPassword
  • With the label dev for instance
ansible_vault_the_secret.bash
ansible-vault encrypt_string --vault-id dev@passwordFile.sh 'foobar' --name 'the_secret'
  • In the value, we can see the dev label coming back.
output.yml
the_secret: !vault |
          $ANSIBLE_VAULT;1.2;AES256;dev
          32623539663635343531646264366163303738326632613535376633653865643333353536623832
          6136313230363737316465623963326237653063336666310a356137333139323130393933373537
          61623432663236313137303561333830396566613030383431666662326632653333323730316638
          6661353435323536650a376662313430646634643763653766616565326661303438653233656366
          3461
Advertising