Ansible Passwords
Ansible Vault lets us encrypt values against an external password. The resulting ciphertext can be included directly in the inventory and avoids the need to encrypt the entire file. If the password is kept externally from git so it is impossible to recover from the git repository alone.
Lets set this up using a single password for simplicity.
Password file
Using a password file means not having to type in a password. Keep the password outside of git, eg ~/ansible_password.txt. You can generate a strong password like this:
openssl rand -base64 120 > ~/ansible_password.txt
Guard this file as it gives access to the secrets and its impossible to re-run your ansible playbooks without the password (unless all passwords are regenerated with a new password file).
Encrypting a value
ansible-vault encrypt_string --vault-password-file ~/ansible_password.txt- type password, press
ctrl+dtwice to exit. Dont press enter, that would include\nin the password
- type password, press
- Copy paste the value into the inventory.
- Commit inventory to git
Warning VS code will show a YAML error when editing files that have ansible vault encrypted data. There is no error in the file, it is valid YAML (prove with
yqif in doubt) do not attempt to fix!
Encrypted output looks like this:
!vault |
$ANSIBLE_VAULT;1.1;AES256
66383331373336353430333733303430376436373130343330326130303230383266333763333464
3834306136306432333137613966303862626436393665310a653738613161626362323139383235
63656134343036626664363138313739396530373563653231343534303931663035656566623737
3134636633373032380a383937306339313630396434373037343935326533656230383439616435
6135
And should be pasted into the vars section, like this:
all:
vars:
foo: !vault |
$ANSIBLE_VAULT;1.1;AES256
66383331373336353430333733303430376436373130343330326130303230383266333763333464
3834306136306432333137613966303862626436393665310a653738613161626362323139383235
63656134343036626664363138313739396530373563653231343534303931663035656566623737
3134636633373032380a383937306339313630396434373037343935326533656230383439616435
6135
Using vault-encrypted data in ansible playbooks
Just run ansible-playbook with the --vault-password-file argument pointing to your password, eg: --vault-password-file ~/ansible_password.txt
Conclusion
Thats all you need to do to embed light-weight secrets in your ansible playbooks. For a more enterprise friendly method of using encrypted secrets, take a look at Hashicorp Vault which has features such as backups, access control, etc.