Using Ansible Vaults

Ansible Vaults

Ansible vaults are cool: they provide a simple way to store private data (such as passphrases, network details, authentication data in general) in a public or shared ansible repository. Ansible provides a set of intuitive interaction commands:

ansible-vault create secret.yml
ansible-vault edit secret.yml
ansible-vault view secret.yml
ansible-vault rekey secret.yml
ansible-vault encrypt secret.yml
ansible-vault decrypt secret.yml

You can even encrypt a single variable in a normal vars file:

notsecret: myvalue
mysecret: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          66386439653236336462626566653063336164663966303231363934653561363964363833313662
          6431626536303530376336343832656537303632313433360a626438346336353331386135323734
          62656361653630373231613662633962316233633936396165386439616533353965373339616234
          3430613539666330390a313736323265656432366236633330313963326365653937323833366536
          34623731376664623134383463316265643436343438623266623965636363326136
other_plain_text: othervalue

The downside is that you'll need to input your encryption passphrase every time, and run playbooks with --ask-vault-pass (which, seriously, ansible could do on its own.)

Password files

But, alternatively, you can use password files. You can either include them with every command with --vault-password-file mypassword, or set an environment variable ANSIBLE_VAULT_PASSWORD_FILE=/path/to/mypassword. (Don't forget to set the executable flag with chmod +x /path/to/mypassword).

The cool thing about this is that a vault password file may be an executable, which is then expected to print the password to STDOUT (it should use STDERR for user interaction since STDOUT is reserved for password output). Mine look like this (since I use the pass password manager:

1
2
#!/bin/bash
pass ansible/someansiblepass

This file in combination with an env variable makes vaults really manageable and easy to use. Please try it!