Secure Secrets with Ansible Vault: Use Encrypted Strings

Some variables do not contain sensitive information. Those variables could also be instrumental when troubleshooting. And in certain situations, it might not make sense to encrypt the entire file, making discovery more difficult.

Perhaps we only want to encrypt the sensitive variables and not the whole file. Ansible Vault can do that, too.

You will create an encrypted string for the ansible_password variable and decrypt the group variable files.

Generate an encrypted string variable for ansible_password. When prompted, enter the vault password.
- Replace <Password> with the ansible user password.
- Copy the ansible_password encrypted string value to the clipboard.

Enter to Rename, Shift+Enter to Preview

Encrypt ansible_password

ansible_password: !vault | 
        $ANSIBLE_VAULT;1.1;AES256
36356230663365626165396563623334333164313162306430373862333838636638333735393632
6633626333363163623035343538363632373261636663610a663335633333346238333264383465
33643334383266333235333366386539383737643136323736636333633834663037363666303962
3138323239636561340a346439623364626662303833366532336533613864316266643564656430
32393764653437323534646336666235373162643731303862353564386534326234
     
Encryption successful

Enter to Rename, Shift+Enter to Preview

ansible-vault encrypt string output

Open linux.yml and windows.yml. Replace the ansible_password variable with the encrypted string.

---
ansible_user: ansible 
ansible_password: !vault |
        $ANSIBLE_VAULT;1.1;AES256 
  36356230663365626165396563623334333164313162306430373862333838636638333735393632 
  6633626333363163623035343538363632373261636663610a663335633333346238333264383465 
  33643334383266333235333366386539383737643136323736636333633834663037363666303962
  3138323239636561340a346439623364626662303833366532336533613864316266643564656430
  32393764653437323534646336666235373162643731303862353564386534326234
ansible_ssh_common_args: '-o StrictHostKeyChecking=no'

Enter to Rename, Shift+Enter to Preview

Update ansible_password

Verify that the variables are loading.

Enter to Rename, Shift+Enter to Preview

Verify the variables

Decryption
When using encrypted strings, the ansible-inventory does not decrypt the string.

"hostvars": { 
    "ec2-50-17-205-144.compute-1.amazonaws.com": {
        "ansible_connection": "winrm", 
        "ansible_password": {
            "__ansible_vault": "$ANSIBLE_VAULT;1.1;AES256\n3635623066336562616539656362333433316431316230643037386 2333838636638333735393632\n6633626333363163623035343538363632373261636663610a663335 633333346238333264383465\n336433343832663332353333663865393837376431363237366363336 33834663037363666303962\n3138323239636561340a34643962336462666230383336653233653361 3864316266643564656430\n32393764653437323534646336666235373162643731303862353564386 534326234"
        },
        "ansible_user": "ansible", 
        "ansible_winrm_server_cert_validation": "ignore"
    },

Enter to Rename, Shift+Enter to Preview

ansible-inventory output

Use the debug module to output the decrypted variable. When prompted, enter the vault password.

Enter to Rename, Shift+Enter to Preview

Decrypt variable

Shell History
The method of using the echo command to populate the encrypted string leaves the shell history password. Please do not use it outside of testing.

You can use the following command in its stead:

Enter to Rename, Shift+Enter to Preview

Hide password from shell history

Caution
Do not press Enter after supplying the string to encrypt. That will add a newline to the encrypted value.

Review the hosts file and the host_vars and ensure that the files’ names and the IP addresses in the files match using the cat command.
Update the passwords in the group_vars files.
Review the group_vars/windows_encrypted.yml and group_vars/linux_encrypted.yml files.

We have provided these demo encrypted files for your review. The group_vars/{windows|linux}.yml will look something like the group_vars/{windows/linux}_encrypted.yml files, respectively.

Run the commands.

Click on the Run button, wait for the environment to set up, and execute the commands summarized below in the widget’s terminal.

# Encrypt ansible password
echo -n '<Password>' | ansible-vault encrypt_string --stdin-name 'ansible_password'
# OR
ansible-vault encrypt_string --stdin-name 'ansible_password'
## Replace the ansible password in linux.yml and windows.yml files.
# Verify variables
ansible-inventory -i hosts --list --ask-vault-pass
# Decrypt ansible_password
ansible all -i hosts -m debug -a "var=ansible_password" --ask-vault-pass

Enter to Rename, Shift+Enter to Preview

Commands

This code requires the following environment variables to execute:

AWS_Linux_EC2_Instance_DNS_Name

Not Specified...

AWS_Windows_EC2_Instance_DNS_Name

Not Specified...

Azure_Linux_VM_Instance_DNS_Name

<Linux>

Azure_Windows_VM_Instance_DNS_Name

AWS_Linux_EC2_Instance_IP

<Linux>

AWS_Windows_EC2_Instance_IP

Azure_Linux_VM_Instance_IP

<Linux>

Azure_Windows_VM_Instance_IP

/

hosts

ping_novars.yml

win_ping_novars.yml

group_vars

windows_encrypted.yml

windows.yml

linux_encrypted.yml

linux.yml

host_vars

windows.yml

Enter to Rename, Shift+Enter to Preview

Secure secret with Ansible vault using encrypted strings

In this lesson, we introduced how you can encrypt only the secret variables instead of the entire file. We looked at the following option with the ansible-vault command:

encrypt_string
debug

Before We Begin

Getting Started

Ansible Development with Containers

Connect to the Cloud

Starting at the Source

Getting Started with Ad-Hoc Commands and Playbooks

Deploy an Ansible Development Environment

Putting the Ansible Environment to Work

Take Inventory of the Infrastructure

Build Reusable Configurations

Dynamic Inventories for Scaling

Build a CI \ CD pipeline for Ansible with Github Actions

Appendix

Conclusion

Secure Secrets with Ansible Vault: Use Encrypted Strings

/