Ansible Vault

Ansible_Logo

Ansible vault is a tool that helps to encrypt, decrypt and manage sensitive data such as passwords, playbooks, files, etc.

If a playbook is encrypted, ansible-navigator will prompt for the password if ones tries to execute it. One of the use case is that it will block junior system admins to run critical playbooks, while may allow non-critical playbooks that are not encrypted.

Below are few of the commands used with ansible vault:

The below command creates a new encrypted file and prompts for the new Vault password. It then opens a file using the default vi editor.

[root@centos9vm ~]# ansible-vault create sampleplaybook.yml
New Vault password:
Confirm New Vault password:

[root@centos9vm ~]# ansible-vault view sampleplaybook.yml
Vault password:
test

Below command encrypts an existing file

[root@centos9vm ~]# ansible-vault encrypt shijuplaybook.yml
New Vault password:
Confirm New Vault password:
Encryption successful

[root@centos9vm ~]# ansible-vault view shijuplaybook.yml
Vault password:

==== ==== ===

– name: shiju sample playbook
hosts: testGRP
tasks:
– name: Add a user shiju100
ansible.builtin.user:
name: “{{ theUser }}”
state: present

– name: Install httpd server
ansible.builtin.dnf:
name: httpd
state: present

==== ==== ===

[root@centos9vm ~]# ansible-vault edit sampleplaybook.yml
Vault password:
[root@centos9vm ~]# ansible-navigator run -m stdout shijuplaybook.yml –syntax-check –ask-vault-password –enable-prompts
Vault password:

playbook: /root/shijuplaybook.yml

[root@centos9vm ~]# ansible-navigator run -m stdout shijuplaybook.yml –ask-vault-pass –enable-prompt
Vault password:

===== =====

PLAY [shiju sample playbook] ********************************************************************************************************************************

TASK [Gathering Facts] **************************************************************************************************************************************
ok: [192.168.132.130]

TASK [Add a user shiju100] **********************************************************************************************************************************
ok: [192.168.132.130]

TASK [Install httpd server] *********************************************************************************************************************************
ok: [192.168.132.130]

PLAY RECAP **************************************************************************************************************************************************
192.168.132.130 : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

===== =====

Changing the encryption password

[root@centos9vm ~]# ansible-vault rekey shijuplaybook.yml
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful

Creating a password file to encrypt paybooks

[root@centos9vm ~]# echo “this is a password file %#$#” > secret
[root@centos9vm ~]# ls -ltr | grep secret
-rw-r–r–. 1 root root 28 Feb 27 11:20 secret

[root@centos9vm ~]# ansible-vault decrypt shijuplaybook.yml
Vault password:
Decryption successful
[root@centos9vm ~]# ansible-vault encrypt shijuplaybook.yml –vault-password-file=secret
Encryption successful

[root@centos9vm ~]# ansible-navigator run -m stdout shijuplaybook.yml –syntax-check –enable-prompts –vault-password-file=secret

playbook: /root/shijuplaybook.yml

The below command creates a new file using the password stored in the above used secret file:

[root@centos9vm ~]# ansible-vault create theplaybook.yml –vault-password-file=secret
Encryption successful