Ansible - Vault

> Infrastructure as code > Ansible

1 - About

A vault is the encrypted format of data through the combination of a label and a password known as vault id

Encrypted data may be:

This is available since Ansible 2.4.

The vault id (ie password) must be the same for all files / property value that you wish to use together at the same time.


3 - Id

A vault id is the vault identifier. The vault id format is:

[email protected]_source


  • label is an optional tag (Example:‘dev’, ‘prod’, ‘cloud’, etc)
  • password_source defines the source of the password (example from prompt, a file path, etc)

3.1 - Label

A label is a property of vault that categorize the vault.


  • ‘dev’, ‘prod’, ‘cloud’, etc

Therefore, files or vars can be encrypted with different passwords. Vault ids is a way to group sensitive data (for instance by environment dev, prod, …)

Example: A playbook can now include a vars file encrypted with a :

  • ‘dev’ vault id
  • and a ‘prod’ vault id.

4 - Management

4.1 - Set

The --vault-id cli option permits to pass its value.

ansible-playbook [--vault-id ...]
# Example
ansible-playbook --vault-id dev@dev-password --vault-id prod@prompt site.yml

4.2 - Match

If the vault content was encrypted using a –vault-id option, then the label of the vault id is stored with the vault content.

The default is to try this matching id first, then try the other vault ids in order if provided.

Default Conf:

4.3 - Format

The encrypted file or string has the following format:



  • the first line is an header where
    • $ANSIBLE_VAULT is the vault format id,
    • 1.1 is the vault format version,
    • AES256 is the cipher id
  • the second line is the vaulttext. This is a concatenation of the ciphertext and a SHA256 digest with the result hexlifyied.


5 - Management

6 - Support

6.1 - AnsibleVaultError: Decryption failed (no vault secrets were found that could decrypt)

One cause may be that you are using a execute script to store your secret and that this script does not have any execute right.

chmod +x

6.2 - AnsibleError: input is not vault encrypted data

The input is not ansible ecnrypted.

Example: you can get that when you copy the key and that you copy two times the !vault statement.


vault_wkf_password: !vault |
  !vault |