geoffwilliams@home:~$

Ansible Passwords

Ansible Vault lets us encrypt values against an external password. The resulting ciphertext can be included directly in the inventory and avoids the need to encrypt the entire file. If the password is kept externally from git so it is impossible to recover from the git repository alone.

Lets set this up using a single password for simplicity.

Password file

Using a password file means not having to type in a password. Keep the password outside of git, eg ~/ansible_password.txt. You can generate a strong password like this:

openssl rand -base64 120 > ~/ansible_password.txt

Guard this file as it gives access to the secrets and its impossible to re-run your ansible playbooks without the password (unless all passwords are regenerated with a new password file).

Encrypting a value

  1. ansible-vault encrypt_string --vault-password-file ~/ansible_password.txt
    • type password, press ctrl+d twice to exit. Dont press enter, that would include \n in the password
  2. Copy paste the value into the inventory.
  3. Commit inventory to git

Warning VS code will show a YAML error when editing files that have ansible vault encrypted data. There is no error in the file, it is valid YAML (prove with yq if in doubt) do not attempt to fix!

Encrypted output looks like this:

!vault |
          $ANSIBLE_VAULT;1.1;AES256
          66383331373336353430333733303430376436373130343330326130303230383266333763333464
          3834306136306432333137613966303862626436393665310a653738613161626362323139383235
          63656134343036626664363138313739396530373563653231343534303931663035656566623737
          3134636633373032380a383937306339313630396434373037343935326533656230383439616435
          6135

And should be pasted into the vars section, like this:

all:
    vars:
        foo: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          66383331373336353430333733303430376436373130343330326130303230383266333763333464
          3834306136306432333137613966303862626436393665310a653738613161626362323139383235
          63656134343036626664363138313739396530373563653231343534303931663035656566623737
          3134636633373032380a383937306339313630396434373037343935326533656230383439616435
          6135

Using vault-encrypted data in ansible playbooks

Just run ansible-playbook with the --vault-password-file argument pointing to your password, eg: --vault-password-file ~/ansible_password.txt

Conclusion

Thats all you need to do to embed light-weight secrets in your ansible playbooks. For a more enterprise friendly method of using encrypted secrets, take a look at Hashicorp Vault which has features such as backups, access control, etc.

Post comment

Markdown is allowed, HTML is not. All comments are moderated.