Ansible vaults are cool: they provide a simple way to store private data (such as passphrases, network details, authentication data in general) in a public or shared ansible repository. Ansible provides a set of intuitive interaction commands:
ansible-vault create secret.yml ansible-vault edit secret.yml ansible-vault view secret.yml ansible-vault rekey secret.yml ansible-vault encrypt secret.yml ansible-vault decrypt secret.yml
You can even encrypt a single variable in a normal vars file:
notsecret: myvalue mysecret: !vault | $ANSIBLE_VAULT;1.1;AES256 66386439653236336462626566653063336164663966303231363934653561363964363833313662 6431626536303530376336343832656537303632313433360a626438346336353331386135323734 62656361653630373231613662633962316233633936396165386439616533353965373339616234 3430613539666330390a313736323265656432366236633330313963326365653937323833366536 34623731376664623134383463316265643436343438623266623965636363326136 other_plain_text: othervalue
The downside is that you'll need to input your encryption passphrase every time, and run playbooks with
--ask-vault-pass (which, seriously, ansible could do on its own.)
But, alternatively, you can use password files. You can either include them with every command with
--vault-password-file mypassword, or set an environment variable
(Don't forget to set the executable flag with
chmod +x /path/to/mypassword).
The cool thing about this is that a vault password file may be an executable, which is then expected to print the password to STDOUT (it should use STDERR for user interaction since STDOUT is reserved for password output). Mine look like this (since I use the pass password manager:
#!/bin/bash pass ansible/someansiblepass
This file in combination with an env variable makes vaults really manageable and easy to use. Please try it!