Ansible – Vault in Ansible (Part-11)

Posted by

What is Ansible Vault?

Ansible Vault is a feature within Ansible that allows you to keep sensitive data, such as passwords, keys, and other secrets, secure. Vault encrypts the contents of files, ensuring that sensitive information is not exposed in plaintext within your playbooks or version control systems.

Key Features of Ansible Vault

  • Encryption and Decryption: Encrypt and decrypt files containing sensitive data.
  • Integration: Seamlessly integrate with Ansible playbooks, roles, and variables.
  • Flexibility: Encrypt entire files or specific variables within a file.
  • Security: Use passwords or key files to manage access to encrypted data.

root@Jami2:/home/jami# ansible-vault
usage: ansible-vault [-h] [--version] [-v] {create,decrypt,edit,view,encrypt,encrypt_string,rekey} ...
ansible-vault: error: the following arguments are required: action

usage: ansible-vault [-h] [--version] [-v] {create,decrypt,edit,view,encrypt,encrypt_string,rekey} ...

encryption/decryption utility for Ansible data files

positional arguments:
    create              Create new vault encrypted file
    decrypt             Decrypt vault encrypted file
    edit                Edit vault encrypted file
    view                View vault encrypted file
    encrypt             Encrypt YAML file
    encrypt_string      Encrypt a string
    rekey               Re-key a vault encrypted file

  --version             show program's version number, config file location, configured module search path, module location, executable location and exit
  -h, --help            show this help message and exit
  -v, --verbose         Causes Ansible to print more debug messages. Adding multiple -v will increase the verbosity, the builtin plugins currently evaluate up to
                        -vvvvvv. A reasonable level to start is -vvv, connection debugging might require -vvvv. This argument may be specified multiple times.

See 'ansible-vault <command> --help' for more information on a specific command.

Basic Usage

Encrypting a File

To encrypt a file using Ansible Vault, use the ansible-vault encrypt command. For example, to encrypt a file called vars.yml:

ansible-vault encrypt vars.yml

You will be prompted to enter a password, which will be required to decrypt the file later.

Decrypting a File

To decrypt a file, use the ansible-vault decrypt command:

ansible-vault decrypt vars.yml

You will be prompted to enter the password used during encryption.

Viewing an Encrypted File

To view the contents of an encrypted file without decrypting it, use the ansible-vault view command:

ansible-vault view vars.yml

Editing an Encrypted File

To edit an encrypted file, use the ansible-vault edit command:

ansible-vault edit vars.yml

Example: Using Ansible Vault with Variables

Let’s walk through an example where we use Ansible Vault to encrypt sensitive variables.

  1. Create a Variables FileCreate a file named vault.yml to store sensitive variables:vault.yml
secret_user: admin
secret_password: my_secret_password

2.Encrypt the Variables File

Encrypt the vault.yml file:

ansible-vault encrypt vault.yml

3.Create a Playbook

Create a playbook that uses the encrypted variables:


- name: Example playbook using Ansible Vault
  hosts: localhost
    - vault.yml
    - name: Print secret user
        msg: "The secret user is {{ secret_user }}"

    - name: Print secret password
        msg: "The secret password is {{ secret_password }}"

4.Run the Playbook

Run the playbook, providing the password to decrypt the vault.yml file:

ansible-playbook site.yml --ask-vault-pass

Using Vault IDs

Vault IDs allow you to manage multiple vault passwords more effectively. You can use different vault IDs for different files or different environments.

  1. Encrypting Files with Vault IDsEncrypt files with different vault IDs:
ansible-vault encrypt --vault-id dev@prompt dev_vars.yml
ansible-vault encrypt --vault-id prod@prompt prod_vars.yml

2.Using Vault IDs in a Playbook


- name: Example playbook using Vault IDs
  hosts: localhost
    - dev_vars.yml
    - prod_vars.yml
    - name: Print dev variable
        msg: "The dev variable is {{ dev_variable }}"

    - name: Print prod variable
        msg: "The prod variable is {{ prod_variable }}"

3.Running the Playbook with Vault IDs

ansible-playbook site.yml --vault-id dev@prompt --vault-id prod@prompt

Example: Encrypting Specific Variables

You can also encrypt specific variables within a file rather than encrypting the entire file.

  1. Create a File with Encrypted VariablesCreate a file named vars.yml:vars.yml
regular_var: "This is a regular variable"

secret_var: !vault |

Note: The encrypted value above is an example; your encrypted value will be different.

2.Encrypt the Specific VariableUse the ansible-vault encrypt_string command to encrypt a specific variable:

    ansible-vault encrypt_string 'my_secret_value' --name 'secret_var'

    3.Create a Playbook Using the Encrypted Variable


    - name: Example playbook with encrypted variable
      hosts: localhost
        - vars.yml
        - name: Print regular variable
            msg: "The regular variable is {{ regular_var }}"
        - name: Print secret variable
            msg: "The secret variable is {{ secret_var }}"

    4.Run the Playbook

    Run the playbook, providing the password to decrypt the vars.yml file:

    ansible-playbook site.yml --ask-vault-pass

    Common Ansible Inventory Parameters

    Connection Parameters

    1. ansible_connection:
      • Type of connection to use for the host.
      • Examples: local, ssh, docker, winrm.
    2. ansible_host:
      • The hostname or IP address to connect to.
      • Example:
    3. ansible_port:
      • The port to connect to on the remote host.
      • Example: 22.
    4. ansible_user:
      • The username to use when connecting to the remote host.
      • Example: ubuntu.
    5. ansible_password:
      • The password to use for authentication.
      • Example: my_password.
    6. ansible_ssh_private_key_file:
      • The private key file to use for SSH connections.
      • Example: /path/to/private/key.
    7. ansible_ssh_common_args:
      • Additional SSH arguments that are applied to all hosts.
      • Example: '-o StrictHostKeyChecking=no'.
    8. ansible_ssh_extra_args:
      • Additional SSH arguments that are applied on a per-host basis.
      • Example: '-o UserKnownHostsFile=/dev/null'.

    Privilege Escalation Parameters

    1. ansible_become:
      • Whether to become another user.
      • Examples: yes, no.
    2. ansible_become_user:
    • The user to become.
    • Example: root.
    1. ansible_become_method:
    • The method to use for becoming another user.
    • Examples: sudo, su, pbrun.
    1. ansible_become_password:
    • The password for becoming another user.
    • Example: my_sudo_password.

    Windows Parameters

    1. ansible_winrm_transport:
    • The transport to use for WinRM.
    • Examples: basic, ntlm, kerberos.
    1. ansible_winrm_server_cert_validation:
    • WinRM server certificate validation mode.
    • Examples: ignore, validate.
    1. ansible_winrm_port:
    • The port to use for WinRM connections.
    • Example: 5986.

    Network Device Parameters

    1. ansible_network_os:
    • The network OS to use for network devices.
    • Examples: ios, eos, nxos.
    1. ansible_httpapi_use_ssl:
    • Whether to use SSL for HTTP API connections.
    • Examples: yes, no.
    1. ansible_httpapi_validate_certs:
    • Whether to validate SSL certificates for HTTP API connections.
    • Examples: yes, no.
    1. ansible_httpapi_port:
    • The port to use for HTTP API connections.
    • Example: 443.

    Performance Tuning Parameters

    1. ansible_ssh_retries:
    • Number of retries for SSH connections.
    • Example: 3.
    1. ansible_command_timeout:
    • Timeout for command execution.
    • Example: 30.
    1. ansible_shell_executable:
    • The shell executable to use for command execution.
    • Example: /bin/bash.

    Inventory Parameters Example

    Here’s an example of how these parameters might be used in an inventory file (INI format and YAML format):

    INI Format:

    web1 ansible_host= ansible_user=ubuntu ansible_port=22 ansible_ssh_private_key_file=/path/to/private/key
    web2 ansible_host= ansible_user=ubuntu ansible_port=22 ansible_password=my_password
    db1 ansible_host= ansible_user=root ansible_become=yes ansible_become_user=root ansible_become_password=my_sudo_password
    db2 ansible_host= ansible_user=root ansible_become=yes ansible_become_user=root ansible_become_password=my_sudo_password

    Understanding and effectively using Ansible inventory parameters can greatly enhance your ability to manage and configure your infrastructure. These parameters provide the flexibility needed to handle different environments and use cases, ensuring that your automation processes are robust and adaptable. By incorporating these parameters into your inventory files, you can control various aspects of host interaction, such as connection details, privilege escalation, and performance tuning, making your Ansible playbooks more powerful and efficient.

    Live Practical

    Instead of passing parameter in ansible playbook “-u jami -k -b” will add these parameter in inventory

    ansible-playbook -i inventory /home/jami/site.yaml -u jami -k -b

    in inventory file like below


    its working with command

    ansible-playbook -i inventory web.yaml

    Now encrypt the inventory using ansible vault

    root@Jami2:/home/jami# ansible-vault encrypt inventory
    New Vault password:
    Confirm New Vault password:
    Encryption successful

    now vi inventory (its encryted)

    we can run “ansible-vault decrypt inventory” to remove encrytion

    we can edit inventory using “ansible-vault edit inventory”

    To run playbook pass vault password else it will not run

    ansible-playbook -i inventory web.yaml --ask-vault-password

    Inline Feedbacks
    View all comments
    Would love your thoughts, please comment.x