Ansible Vault

Ansible_Logo

Posted By: admin February 24, 2024

Ansible vault is a tool that helps to encrypt, decrypt and manage sensitive data such as passwords, playbooks, files, etc.

If a playbook is encrypted, ansible-navigator will prompt for the password if ones tries to execute it. One of the use case is that it will block junior system admins to run critical playbooks, while may allow non-critical playbooks that are not encrypted.

Below are few of the commands used with ansible vault:

[root@centos9vm ~]# ansible-vault create sampleplaybook.yml
New Vault password:
Confirm New Vault password:

[root@centos9vm ~]# ansible-vault view sampleplaybook.yml
Vault password:
test

[root@centos9vm ~]# ansible-vault encrypt shijuplaybook.yml
New Vault password:
Confirm New Vault password:
Encryption successful

[root@centos9vm ~]# ansible-vault view shijuplaybook.yml
Vault password:

==== ==== ===

– name: shiju sample playbook
    hosts: testGRP
    tasks:
        – name: Add a user shiju100
            ansible.builtin.user:
                name: “{{ theUser }}”
                state: present

        – name: Install httpd server
            ansible.builtin.dnf:
                name: httpd
                state: present

==== ==== ===

[root@centos9vm ~]# ansible-vault edit sampleplaybook.yml
Vault password:
[root@centos9vm ~]# ansible-navigator run -m stdout shijuplaybook.yml –syntax-check –ask-vault-password –enable-prompts
Vault password:

playbook: /root/shijuplaybook.yml

[root@centos9vm ~]# ansible-navigator run -m stdout shijuplaybook.yml –ask-vault-pass –enable-prompt
Vault password:

===== =====

PLAY [shiju sample playbook] ********************************************************************************************************************************

TASK [Gathering Facts] **************************************************************************************************************************************
ok: [192.168.132.130]

TASK [Add a user shiju100] **********************************************************************************************************************************
ok: [192.168.132.130]

TASK [Install httpd server] *********************************************************************************************************************************
ok: [192.168.132.130]

PLAY RECAP **************************************************************************************************************************************************
192.168.132.130 : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

===== =====

Changing the encryption password

[root@centos9vm ~]# ansible-vault rekey shijuplaybook.yml
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful

Creating a password file to encrypt paybooks

[root@centos9vm ~]# echo “this is a password file %#$#” > secret
[root@centos9vm ~]# ls -ltr | grep secret
-rw-r–r–. 1 root root 28 Feb 27 11:20 secret

[root@centos9vm ~]# ansible-vault decrypt shijuplaybook.yml
Vault password:
Decryption successful
[root@centos9vm ~]# ansible-vault encrypt shijuplaybook.yml –vault-password-file=secret
Encryption successful

[root@centos9vm ~]# ansible-navigator run -m stdout shijuplaybook.yml –syntax-check –enable-prompts –vault-password-file=secret

playbook: /root/shijuplaybook.yml