What is Ansible Vault?
Ansible Vault is a feature within Ansible that allows you to keep sensitive data, such as passwords, keys, and other secrets, secure. Vault encrypts the contents of files, ensuring that sensitive information is not exposed in plaintext within your playbooks or version control systems.
Key Features of Ansible Vault
- Encryption and Decryption: Encrypt and decrypt files containing sensitive data.
- Integration: Seamlessly integrate with Ansible playbooks, roles, and variables.
- Flexibility: Encrypt entire files or specific variables within a file.
- Security: Use passwords or key files to manage access to encrypted data.
root@Jami2:/home/jami# ansible-vault
usage: ansible-vault [-h] [--version] [-v] {create,decrypt,edit,view,encrypt,encrypt_string,rekey} ...
ansible-vault: error: the following arguments are required: action
usage: ansible-vault [-h] [--version] [-v] {create,decrypt,edit,view,encrypt,encrypt_string,rekey} ...
encryption/decryption utility for Ansible data files
positional arguments:
{create,decrypt,edit,view,encrypt,encrypt_string,rekey}
create Create new vault encrypted file
decrypt Decrypt vault encrypted file
edit Edit vault encrypted file
view View vault encrypted file
encrypt Encrypt YAML file
encrypt_string Encrypt a string
rekey Re-key a vault encrypted file
options:
--version show program's version number, config file location, configured module search path, module location, executable location and exit
-h, --help show this help message and exit
-v, --verbose Causes Ansible to print more debug messages. Adding multiple -v will increase the verbosity, the builtin plugins currently evaluate up to
-vvvvvv. A reasonable level to start is -vvv, connection debugging might require -vvvv. This argument may be specified multiple times.
See 'ansible-vault <command> --help' for more information on a specific command.
Basic Usage
Encrypting a File
To encrypt a file using Ansible Vault, use the ansible-vault encrypt
command. For example, to encrypt a file called vars.yml
:
ansible-vault encrypt vars.yml
You will be prompted to enter a password, which will be required to decrypt the file later.
Decrypting a File
To decrypt a file, use the ansible-vault decrypt
command:
ansible-vault decrypt vars.yml
You will be prompted to enter the password used during encryption.
Viewing an Encrypted File
To view the contents of an encrypted file without decrypting it, use the ansible-vault view
command:
ansible-vault view vars.yml
Editing an Encrypted File
To edit an encrypted file, use the ansible-vault edit
command:
ansible-vault edit vars.yml
Example: Using Ansible Vault with Variables
Let’s walk through an example where we use Ansible Vault to encrypt sensitive variables.
- Create a Variables FileCreate a file named
vault.yml
to store sensitive variables:vault.yml
---
secret_user: admin
secret_password: my_secret_password
2.Encrypt the Variables File
Encrypt the vault.yml
file:
ansible-vault encrypt vault.yml
3.Create a Playbook
Create a playbook that uses the encrypted variables:
site.yml
---
- name: Example playbook using Ansible Vault
hosts: localhost
vars_files:
- vault.yml
tasks:
- name: Print secret user
ansible.builtin.debug:
msg: "The secret user is {{ secret_user }}"
- name: Print secret password
ansible.builtin.debug:
msg: "The secret password is {{ secret_password }}"
4.Run the Playbook
Run the playbook, providing the password to decrypt the vault.yml
file:
ansible-playbook site.yml --ask-vault-pass
Using Vault IDs
Vault IDs allow you to manage multiple vault passwords more effectively. You can use different vault IDs for different files or different environments.
- Encrypting Files with Vault IDsEncrypt files with different vault IDs:
ansible-vault encrypt --vault-id dev@prompt dev_vars.yml
ansible-vault encrypt --vault-id prod@prompt prod_vars.yml
2.Using Vault IDs in a Playbook
site.yml
---
- name: Example playbook using Vault IDs
hosts: localhost
vars_files:
- dev_vars.yml
- prod_vars.yml
tasks:
- name: Print dev variable
ansible.builtin.debug:
msg: "The dev variable is {{ dev_variable }}"
- name: Print prod variable
ansible.builtin.debug:
msg: "The prod variable is {{ prod_variable }}"
3.Running the Playbook with Vault IDs
ansible-playbook site.yml --vault-id dev@prompt --vault-id prod@prompt
Example: Encrypting Specific Variables
You can also encrypt specific variables within a file rather than encrypting the entire file.
- Create a File with Encrypted VariablesCreate a file named
vars.yml
:vars.yml
---
regular_var: "This is a regular variable"
secret_var: !vault |
$ANSIBLE_VAULT;1.1;AES256
61346438343536316566386335633864386531653436366437333238393865376236666662323938
3434376631386139623961663463383865346433373731610a373339623262323137343938623739
32333965373836646262626266366232326439353035663665386338346366336530383234346561
3130306535383964630a353531393936616561316663653930366666313335313566636261653736
6435
Note: The encrypted value above is an example; your encrypted value will be different.
2.Encrypt the Specific VariableUse the ansible-vault encrypt_string
command to encrypt a specific variable:
ansible-vault encrypt_string 'my_secret_value' --name 'secret_var'
3.Create a Playbook Using the Encrypted Variable
site.yml
---
- name: Example playbook with encrypted variable
hosts: localhost
vars_files:
- vars.yml
tasks:
- name: Print regular variable
ansible.builtin.debug:
msg: "The regular variable is {{ regular_var }}"
- name: Print secret variable
ansible.builtin.debug:
msg: "The secret variable is {{ secret_var }}"
4.Run the Playbook
Run the playbook, providing the password to decrypt the vars.yml
file:
ansible-playbook site.yml --ask-vault-pass
Common Ansible Inventory Parameters
Connection Parameters
- ansible_connection:
- Type of connection to use for the host.
- Examples:
local
,ssh
,docker
,winrm
.
- ansible_host:
- The hostname or IP address to connect to.
- Example:
192.168.1.1
.
- ansible_port:
- The port to connect to on the remote host.
- Example:
22
.
- ansible_user:
- The username to use when connecting to the remote host.
- Example:
ubuntu
.
- ansible_password:
- The password to use for authentication.
- Example:
my_password
.
- ansible_ssh_private_key_file:
- The private key file to use for SSH connections.
- Example:
/path/to/private/key
.
- ansible_ssh_common_args:
- Additional SSH arguments that are applied to all hosts.
- Example:
'-o StrictHostKeyChecking=no'
.
- ansible_ssh_extra_args:
- Additional SSH arguments that are applied on a per-host basis.
- Example:
'-o UserKnownHostsFile=/dev/null'
.
Privilege Escalation Parameters
- ansible_become:
- Whether to become another user.
- Examples:
yes
,no
.
- ansible_become_user:
- The user to become.
- Example:
root
.
- ansible_become_method:
- The method to use for becoming another user.
- Examples:
sudo
,su
,pbrun
.
- ansible_become_password:
- The password for becoming another user.
- Example:
my_sudo_password
.
Windows Parameters
- ansible_winrm_transport:
- The transport to use for WinRM.
- Examples:
basic
,ntlm
,kerberos
.
- ansible_winrm_server_cert_validation:
- WinRM server certificate validation mode.
- Examples:
ignore
,validate
.
- ansible_winrm_port:
- The port to use for WinRM connections.
- Example:
5986
.
Network Device Parameters
- ansible_network_os:
- The network OS to use for network devices.
- Examples:
ios
,eos
,nxos
.
- ansible_httpapi_use_ssl:
- Whether to use SSL for HTTP API connections.
- Examples:
yes
,no
.
- ansible_httpapi_validate_certs:
- Whether to validate SSL certificates for HTTP API connections.
- Examples:
yes
,no
.
- ansible_httpapi_port:
- The port to use for HTTP API connections.
- Example:
443
.
Performance Tuning Parameters
- ansible_ssh_retries:
- Number of retries for SSH connections.
- Example:
3
.
- ansible_command_timeout:
- Timeout for command execution.
- Example:
30
.
- ansible_shell_executable:
- The shell executable to use for command execution.
- Example:
/bin/bash
.
Inventory Parameters Example
Here’s an example of how these parameters might be used in an inventory file (INI format and YAML format):
INI Format:
[web]
web1 ansible_host=192.168.1.1 ansible_user=ubuntu ansible_port=22 ansible_ssh_private_key_file=/path/to/private/key
web2 ansible_host=192.168.1.2 ansible_user=ubuntu ansible_port=22 ansible_password=my_password
[db]
db1 ansible_host=192.168.2.1 ansible_user=root ansible_become=yes ansible_become_user=root ansible_become_password=my_sudo_password
db2 ansible_host=192.168.2.2 ansible_user=root ansible_become=yes ansible_become_user=root ansible_become_password=my_sudo_password
Understanding and effectively using Ansible inventory parameters can greatly enhance your ability to manage and configure your infrastructure. These parameters provide the flexibility needed to handle different environments and use cases, ensuring that your automation processes are robust and adaptable. By incorporating these parameters into your inventory files, you can control various aspects of host interaction, such as connection details, privilege escalation, and performance tuning, making your Ansible playbooks more powerful and efficient.
Live Practical
Instead of passing parameter in ansible playbook “-u jami -k -b” will add these parameter in inventory
ansible-playbook -i inventory /home/jami/site.yaml -u jami -k -b
ansible_user=jami
ansible_password=Gufran@123456
ansible_become_password=Gufran@123456
ansible_become=true
in inventory file like below
[web]
51.8.106.65
51.8.106.109
[web:vars]
myname=Jamiingroup
ansible_user=jami
ansible_password=Gufran@123456
ansible_become_password=Gufran@123456
ansible_become=true
~
its working with command
ansible-playbook -i inventory web.yaml
Now encrypt the inventory using ansible vault
root@Jami2:/home/jami# ansible-vault encrypt inventory
New Vault password:
Confirm New Vault password:
Encryption successful
now vi inventory (its encryted)
we can run “ansible-vault decrypt inventory” to remove encrytion
we can edit inventory using “ansible-vault edit inventory”
To run playbook pass vault password else it will not run
ansible-playbook -i inventory web.yaml --ask-vault-password