Using Ansible Vaults

Ansible Vaults

Ansible vaults are cool: they provide a simple way to store private data (such as passphrases, network details, authentication data in general) in a public or shared ansible repository. Ansible provides a set of intuitive interaction commands:

ansible-vault create secret.yml
ansible-vault edit secret.yml
ansible-vault view secret.yml
ansible-vault rekey secret.yml
ansible-vault encrypt secret.yml
ansible-vault decrypt secret.yml

You can even encrypt a single variable in a normal vars file:

notsecret: myvalue
mysecret: !vault |
other_plain_text: othervalue

The downside is that you'll need to input your encryption passphrase every time, and run playbooks with --ask-vault-pass (which, seriously, ansible could do on its own.)

Password files

But, alternatively, you can use password files. You can either include them with every command with --vault-password-file mypassword, or set an environment variable ANSIBLE_VAULT_PASSWORD_FILE=/path/to/mypassword. (Don't forget to set the executable flag with chmod +x /path/to/mypassword).

The cool thing about this is that a vault password file may be an executable, which is then expected to print the password to STDOUT (it should use STDERR for user interaction since STDOUT is reserved for password output). Mine look like this (since I use the pass password manager:

pass ansible/someansiblepass

This file in combination with an env variable makes vaults really manageable and easy to use. Please try it!