How to use Ansible Vault to Protect Ansible Playbooks

This tutorial will help you to understand everything about Ansible Vault.

End of this document, you will be able to understand,

1. What is Ansible Vault?
2. How to Encrypt the Ansible playbooks?
3. How to decrypt it?
4. How to view and edit if required?
5. How to reset a new Ansible vault password?

How to use Ansible Vault to Protect Ansible Playbooks


Lets get started.
Ansible Vault to Protect Ansible Playbooks with Encryption


What is Ansible Vault?

Ansible Vault is a feature of ansible which allow us to protect the sensitive data with encryption in a playbooks such as data files, usernames, passwords, configurations.

If any ansible playbook is encrypted, even a ansible administrator cannot read a playbook with any editors without providing a valid vault password. Its not publicly visible.

Lets take an example playbook.

Also Watch this "Ansible Vault" Tutorial video demo on our YouTube Channel.

Below ansible playbook is used for user creation which has Username, Password and Agreement to be copied to the home direcory are specified clearly. So anybody can view this information.

[root@learnitguide.net ansible]# cat users.yml
---
- hosts: clients
tasks:
- name: Adding Users
user:
     name: john
password: john@123
comment: "John Ben"
shell: /bin/bash
group: apache
createhome: yes
home: /home/john
- name: Copying Confidential Agreement
copy:
content: "Its a Confidential Agreement between an Employee & Employer newn"
dest: /home/john/Agreement

Lets see how to encrypt with Ansible Vault to protect the sensitive data and see what is happening after encryption.

How to encrypt Ansible Playbook?

Use the option "encrypt" along with ansible-vault command. Enter the vault password twice you wish to set for the particular playbook users.yml, this password is only for this file.

[root@learnitguide.net ansible]# ansible-vault encrypt users.yml
New Vault password:
Confirm New Vault password:
Encryption successful

Yes, "users.yml" is encrypted.

Now, if anyone try to open the protected file with any normal editors, they cannot be readable by the users. because its encrypted.

[root@learnitguide.net ansible]# cat users.yml
$ANSIBLE_VAULT;1.1;AES256
61663736643362356533646434663830356534646435373164626230633436396666646332393538
3333353735356363663237323034336465633939346536330a313435666439323936306435313830
33313736303432303463636137623064626238333434613037346538663332383663363431613465
3236633939613836360a323335303263626163303532626334663530316137636535313834613237

So Once any playbook is encrypted with ansible-vault command, you have to use the ansible vault command to manage the encrypted file as below.

How to view encrypted playbook file?

Use the "view" option along with ansible-vault command and enter the vault password.

[root@learnitguide.net ansible]# ansible-vault view users.yml
Vault password:
---
- hosts: clients
tasks:
- name: Adding Users
user:
name: john
password: john@123
comment: "John Ben"
shell: /bin/bash
group: apache
createhome: yes
home: /home/john
- name: Copying Confidential Agreement
copy:
content: "Its a Confidential Agreement between an Employee & Employer newn"
dest: /home/john/Agreement

How to edit encrypted playbook file?

Use the "edit" option along with ansible-vault command and enter the vault password. This will use your default editor set in your user environment.

[root@learnitguide.net ansible]# ansible-vault edit users.yml
Vault password:

Once you have done the changes, save and exit from the file.

How to run encrypted ansible playbook file?

If a playbook is encrypted, We cannot run a ansible-playbook as we do normally. Else you would get an error as below.

[root@learnitguide.net ansible]# ansible-playbook users.yml
ERROR! Attempting to decrypt but no vault secrets found

Instead, we can use use the argument "--ask-vault-pass" to provide the vault password or Save your vault password in a file and call the vault password file using the argument "--vault-password-file".

1. Using the arguement "--ask-vault-pass"

[root@learnitguide.net ansible]# ansible-playbook users.yml --ask-vault-pass
Vault password:

Enter the vault password when it prompts to run the ansible playbook.

2. Using the arguement "--vault-password-file"

Before run, save your vault password in a file and run the playbook again.

[root@learnitguide.net ansible]# cat vault-passwd
redhat

Vault password is stored in a file called vault-passwd.
[root@learnitguide.net ansible]# ansible-playbook users.yml --vault-password-file /root/ansible/vault-passwd

This time vault password will be taken from the file you have provided, hence it wont prompt you to enter the vault passwd.

If you are not allowed to store the password in clear format, then use only "--ask-vault-pass" arguement.

How to change existing vault password?

Use the "rekey" option along with ansible-vault command. Enter the old vault password and enter the new password twice.

[root@learnitguide.net ansible]# ansible-vault rekey users.yml
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful

New vault password is set.

How to decrypt protected ansible playbook file?

Use the "decrypt" option along with ansible-vault command,

[root@learnitguide.net ansible]# ansible-vault decrypt users.yml
Vault password:
Decryption successful

Now the playbook is decrypted.

Hope you have got an idea about Ansible vault to protect the sensitive data.

If you are interested in learning, Request you to go through the below recommended tutorial.

DevOps Full Course Tutorial for Beginners - DevOps Free Training Online
Docker Full Course Tutorial for Beginners - Docker Free Training Online
Kubernetes Full Course Tutorial for Beginners - Kubernetes Free Training Online
Ansible Full Course Tutorial for Beginners - Ansible Free Training Online
Openstack Full Course Tutorial for Beginners - Openstack Free Training Online

Keep practicing and have fun. Leave your comments if any.

Support Us: Share with your friends and groups.

Stay connected with us on social networking sites, Thank you.

Post a Comment

0 Comments