Karan Sharma

Ramblings on tech, cycling, and finance

Using Ansible Vault

Vault let's you encrypt sensitive values in your playbook. These can be DB Passwords, API tokens etc that need to referenced inside the roles/task etc.

There are 2 ways to encrypt:

IMHO encrypting with a file is better even for a few variables.

How To

  1. Create a file called secrets.enc and add the contents in plain-text:
password: secret
another_password: supersecret
  1. Encrypt with ansible-vault encrypt secrets.enc

  2. Store the password inside .vault_password (untracked from git) if you don't want to provide the password everytime.

  3. Run the playbook with ansible-playbook -i inventory playbook.yml -e @secrets.enc --vault-password-file=.vault_password

That's all! {{password}} and {{another_password}} will be available inside tasks normally, no extra work needed.

Managing Secrets

You can use these commands to view/edit secret file.

view-secrets:
	ansible-vault view secrets.enc --vault-password-file=.vault_password

edit-secrets:
	EDITOR=vim ansible-vault edit secrets.enc --vault-password-file=.vault_password