Ansible Vault Tutorial
In this video we are going to learn how to use Ansible Vault. Ansible Vault is primarily useful where you want to store confidential data in a public / possibly-not-very-private source control system.
Personally, I do not find much use for the Vault. In my setup, my host_vars
, group_vars
, and certain Role default.yml
files contain sensitive information. Primarily this relates to User details - passwords being the biggy.
As covered in the previous video, any passwords I use will have been passed through the mkpasswd
function, and already be encrypted. As such, storing them in my set up is secure enough - for me. Your requirements may well vary, and as such, for how easy it is to use Ansible Vault, it seems foolish not to cover it.
The official Ansible documentation for Vault covers the main methods:
- creating new encrypted files
- editing existing encrypted files
- encrypting existing unencrypted files
- decrypting existing encrypted files
- changing the password of existing encrypted files
You can see a demonstration of each of these steps in the first half of the video.
Using Ansible Vault Files
Once our data has been encrypted, using playbooks that contain encrypted data involves an additional option being passed into our ansible-playbook
command.
From the docs this looks like:
ansible-playbook site.yml --ask-vault-pass
However, in the real world, should we have encrypted our group_vars
then your command would likely look more like this:
ansible-playbook common-playbook.yml -i hosts -l target -k -K -s --ask-vault-pass
Upon running this command, you will be prompted for the usual passwords (SSH, and sudo), and then the Vault password.
Points of Note
It's not possible to encrypted only values. Or to put it another way, you can only encrypt entire files. I dislike this as it makes the files inherently less useful to me - grep
ing becomes impossible for example.
You can only have one Vault password per Ansible playbook. That is, everything in this playbook run must use the same Vault password.
In Summary
For me the cons of using the Vault currently outweigh the pros.
I can live with my hashed passwords being stored inside unencrypted var files for my personal development projects.
For client work I do use the Vault. If you value your clients, I would suggest you do too.