Ansible : Vault
Ansible vault provides a simple way to encrypt secrets, so you don't expose sensitive data in your playbooks.
oracle miscconfigurationintermediate
by OracleDba
12 views
📋Steps in this guide1/6
1
Useful Resources
There is a vagrant build for the virtual machines used in these examples here .
There is a GitHub repository of the scripts used in the examples here .
2
Create a New Vault
We create a new vault using the "ansible-vault" command with the "create" option. It will prompt us for a vault password and drop us into the default editor to enter data in the fault. We enter the data in plain text, just like it were a host variable file and exit.
In this case I used the vault password of "Password123" and gave it the following content.
We check the contents of the resulting vault file and we can see it's encrypted.
The "view" option allows us to see the content in its unencrypted state.
The "edit" option drops us back into the editor, so we can edit the contents of the vault. We add a second variable.
We can see the new variable we added.
Code/Command (click line numbers to comment):
12345678910111213141516171819202122232425262728293031
$ ansible-vault create my_vault.yml
New Vault password:
Confirm New Vault password:
$
cdb1_sys_password: SysPassword1
$ cat my_vault.yml
$ANSIBLE_VAULT;1.1;AES256
32306533393532303233373461376533356462613038353439333630346361383833313034373136
3336653332623837366233313662613464376266626637610a363339326237666465663937306433
30373131353331306261373365383562303263386535663264306437326330373035393138383435
3535316163333938320a356237663131656533373066626334303333363233366161333564343031
61306530633063363237646334653835636261373638663465353662353133316439366436303466
3439353036356638666465646133326461363137643566633363
$
$ ansible-vault view my_vault.yml
Vault password:
cdb1_sys_password: SysPassword1
$
$ ansible-vault edit my_vault.yml
Vault password:
$
$ ansible-vault view my_vault.yml
Vault password:
cdb1_sys_password: SysPassword1
testuser1: testuser1pwd
$3
Encrypt Existing Variable File
An alterative to creating a vault is to encrypt and existing variable file. We create a file called "my_vault_2.yml" with the following contents.
We encrypt the file using the "encrypt" option. Once again, we use "Password123" as the password.
The file is now encrypted.
We can display the content using the "view" option.
Code/Command (click line numbers to comment):
12345678910111213141516171819202122232425
cdb1_sys_password: SysPassword1
testuser1: testuser1pwd
$ ansible-vault encrypt my_vault_2.yml
New Vault password:
Confirm New Vault password:
Encryption successful
$
$ cat my_vault_2.yml
$ANSIBLE_VAULT;1.1;AES256
65363365363962363166366138356564323231633065356536373864623863393663646333393433
3736303366356336376531343337653839383465656138300a346633663466333432393833383935
37333564316366323865613236623461316336623865376533353730626135623861653438306335
6631316633383032300a393435633938623365333362356437653133383934373863333130353664
36323335623037633566323332346534633533366431313939323035636465636633363035646230
34663466323432666561353563356635613561383965303130623735623837646639663136666533
303166633532646630343139303237396132
$
$ ansible-vault view my_vault_2.yml
Vault password:
cdb1_sys_password: SysPassword1
testuser1: testuser1pwd
$4
Decrypt Vault
We can decrypt a file using the "decrypt" option.
Code/Command (click line numbers to comment):
123456789
$ ansible-vault decrypt my_vault_2.yml
Vault password:
Decryption successful
$
$ cat my_vault_2.yml
cdb1_sys_password: SysPassword1
testuser1: testuser1pwd
$5
Use a Vault With a Playbook
Create a playbook called "vault_variables.yml" with the following contents. It uses the "debug" module to display the variable value, which is a silly thing to do for secret.
When we run the playbook we see the variable is undefined. We've not told the playbook where to find the vault.
We use the "-e" flag to associate extra variables to the playbook. We use the "@" symbol to show it is a file. We also need the "--ask-vault-pass" flag so we are prompted for the vault password.
Alternatively we can specify the vault as part of the playbook using the "vars_files" option.
We can now run the playbook without the "-e" flag, but we still need the "--ask-vault-pass" flag.
Code/Command (click line numbers to comment):
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172
---
- name: Use vault variables
hosts: databases
tasks:
- name: Show vault variable value
debug:
var: cdb1_sys_password
$ ansible-playbook vault_variables.yml
PLAY [Use vault variables] *********************************************************************************************************************
TASK [Gathering Facts] *************************************************************************************************************************
ok: [database1.localdomain]
TASK [Show vault variable value] ***************************************************************************************************************
ok: [database1.localdomain] => {
"cdb1_sys_password": "VARIABLE IS NOT DEFINED!"
}
PLAY RECAP *************************************************************************************************************************************
database1.localdomain : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
$
$ ansible-playbook vault_variables.yml -e @my_vault.yml --ask-vault-pass
Vault password:
PLAY [Use vault variables] *********************************************************************************************************************
TASK [Gathering Facts] *************************************************************************************************************************
ok: [database1.localdomain]
TASK [Show vault variable value] ***************************************************************************************************************
ok: [database1.localdomain] => {
"cdb1_sys_password": "SysPassword1"
}
PLAY RECAP *************************************************************************************************************************************
database1.localdomain : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
$
---
- name: Use vault variables
hosts: databases
vars_files: my_vault.yml
tasks:
- name: Show vault variable value
debug:
var: cdb1_sys_password
$ ansible-playbook vault_variables_2.yml --ask-vault-pass
Vault password:
PLAY [Use vault variables] *********************************************************************************************************************
TASK [Gathering Facts] *************************************************************************************************************************
ok: [database1.localdomain]
TASK [Show vault variable value] ***************************************************************************************************************
ok: [database1.localdomain] => {
"cdb1_sys_password": "SysPassword1"
}
PLAY RECAP *************************************************************************************************************************************
database1.localdomain : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
$6
Considerations
Here are some things to consider when using Ansible Vault.
- It may be a better idea to use a cloud-based vault for production systems.
- We can encrypt host and group variable files if required. They will be picked up by default as normal, but will require a password to access them.
- The passwords used in this article as simple/stupid. Please use strong passwords for the vault, and for any passwords used by your systems.
- Check out the documentation for the other things you can do with Ansible Vault .
For more information see:
- Ansible Vault
- Ansible Playbooks : Vault
- Ansible : Playbooks - First Steps
- Ansible : All Articles
Hope this helps. Regards Tim...
Comments (0)
Please to add comments
No comments yet. Be the first to comment!