Secure Secrets with Ansible Vault: Use Encrypted Files

Secure secrets by encrypting files using Ansible Vault.

We'll cover the following

There is a secret we have been using. It’s the password of the Ansible user that is stored in cleartext. Having it stored in clear text isn’t good, but having it stored within a Git repository is even worse. Luckily, Ansible has a solution.

Ansible Vault#

Ansible Vault is a feature that allows you to encrypt files or strings to store sensitive data such as passwords and keys. These encrypted values are safe to store in source control. They are decrypted with the following options on the Ansible commands:

  • --ask-vault-pass
  • --vault-password-file
  • --vault-id

Using encrypted files#

Ansible Vault has the ability to encrypt entire files. Using Ansible Vault, you can create an encrypted file that stores the variables.

You will encrypt the linux.yml and windows.yml group variable files.

  1. Encrypt the linux.yml variable file; when prompted, enter the decrypt password. Use the following command,
Encrypt linux.yml
  1. View the contents of the linux.yml file.
View linux.yml encrypted contents
  1. Edit linux.yml with Ansible vault.
Edit linux.yml with Ansible Vault
  1. Ensure the variables are correct and exit the editor with :q.

vi editor
ansible-vault edit uses the vi editor. If you don’t want to use this to edit your variable files, decrypt the files temporarily with ansible-vault decrypt.

  1. Encrypt the windows.yml variable file, when prompted enter the decrypt password. Use the same password as before.
Encrypt windows.yml
  1. View the encrypted file contents, when prompted enter the vault password.
View encrypted contents
  1. Verify the variables are loading.

When prompted, enter the vault password. Scroll through the output until you see the variables assigned to each host.

Verify the variables

  1. Review the hosts file and the host_vars and ensure that the files’ names and the IP addresses in the files match using the cat command.

  2. Update the passwords in the group_vars files.

  3. Review the group_vars/windows_encrypted.yml and group_vars/linux_encrypted.yml files.

We have provided these demo encrypted files for your review. The group_vars/{windows|linux}.yml will look something like the group_vars/{windows/linux}_encrypted.yml files, respectively.

This code requires the following environment variables to execute:
AWS_Linux_EC2_Instance_DNS_Name
Not Specified...
AWS_Windows_EC2_Instance_DNS_Name
Not Specified...
Azure_Linux_VM_Instance_DNS_Name
<Linux>
Azure_Windows_VM_Instance_DNS_Name
<Windows>
AWS_Linux_EC2_Instance_IP
<Linux>
AWS_Windows_EC2_Instance_IP
<Windows>
Azure_Linux_VM_Instance_IP
<Linux>
Azure_Windows_VM_Instance_IP
<Windows>
/
hosts
ping_novars.yml
win_ping_novars.yml
group_vars
windows_encrypted.yml
windows.yml
linux_encrypted.yml
linux.yml
host_vars
Secure secret with Ansible vault
  1. Run the ping playbooks.

Use the following commands to execute the playbooks:

Execute the playbooks

Click on the Run button, wait for the environment to set up, and execute the following summarized commands in the widget’s terminal:

Commands

Using Ansible Vault to encrypt the entire file works excellent! You can now feel good about committing the code to source control, knowing that your password is encrypted. The only downside is that you can’t view the contents without using the following options of the ansible-vault command:

  • decrypt
  • view
  • edit

In this lesson, we introduced Ansible Vault to secure your secrets using the encrypted files method. We looked into the following options that the ansible-vault command provides:

  • encrypt
  • edit
  • view
  • decrypt
Organize Hosts and Group Variables
Secure Secrets with Ansible Vault: Use Encrypted Strings
Mark as Completed
Report an Issue