Ansible - Vault

> Infrastructure as code > Ansible

1 - About

A vault is the encrypted format of data through the combination of a label and a password known as vault id

Encrypted data may be:

This is available since Ansible 2.4.

The vault id (ie password) must be the same for all files / property value that you wish to use together at the same time.

Advertising

3 - Id

A vault id is the vault identifier. The vault id format is:

[email protected]_source

where:

  • label is an optional tag (Example:‘dev’, ‘prod’, ‘cloud’, etc)
  • password_source defines the source of the password (example from prompt, a file path, etc)

3.1 - Label

A label is a property of vault that categorize the vault.

Example:

  • ‘dev’, ‘prod’, ‘cloud’, etc

Therefore, files or vars can be encrypted with different passwords. Vault ids is a way to group sensitive data (for instance by environment dev, prod, …)

Example: A playbook can now include a vars file encrypted with a :

  • ‘dev’ vault id
  • and a ‘prod’ vault id.
Advertising

4 - Management

4.1 - Set

The --vault-id cli option permits to pass its value.

ansible-playbook [--vault-id ...]
# Example
ansible-playbook --vault-id dev@dev-password --vault-id prod@prompt site.yml

4.2 - Match

If the vault content was encrypted using a –vault-id option, then the label of the vault id is stored with the vault content.

The default is to try this matching id first, then try the other vault ids in order if provided.

Default Conf:

4.3 - Format

The encrypted file or string has the following format:

$ANSIBLE_VAULT;1.1;AES256
vaulttext

where:

  • the first line is an header where
    • $ANSIBLE_VAULT is the vault format id,
    • 1.1 is the vault format version,
    • AES256 is the cipher id
  • the second line is the vaulttext. This is a concatenation of the ciphertext and a SHA256 digest with the result hexlifyied.

https://docs.ansible.com/ansible/2.4/vault.html#vault-format

Advertising

5 - Management

6 - Support

6.1 - AnsibleVaultError: Decryption failed (no vault secrets were found that could decrypt)

One cause may be that you are using a execute script to store your secret and that this script does not have any execute right.

chmod +x mySecret.sh

6.2 - AnsibleError: input is not vault encrypted data

The input is not ansible ecnrypted.

Example: you can get that when you copy the key and that you copy two times the !vault statement.

Example:

vault_wkf_password: !vault |
  !vault |
  $ANSIBLE_VAULT;1.1;AES256
  62353036646334633932386334306331383737623464343031393335306238633136616665376633
  3538393034323939383761623333323032366163363131640a356561313033376438303138653933
  37613734383734346234613962633163633837623738326266643666333039616635336138373436
  3931616464333137300a346331343635626365653431643139323534336662653438336330666563
  6165633164333030653139633839323962373232663864646362613