Ansible Vault

In Ansible, it is possible to load in variables from files. We will be looking at this in our next chapter in more detail. These files can contain sensitive information such as password and API keys. An example of this would be the following:

secret: "mypassword"
secret-api-key: "myprivateapikey" 

As you can see, we have two sensitive bits of information visible as plaintext. This is OK while the file is on our local machine, but what if we want to check the file into source control to share it with our colleagues? Even if the repository is private, we shouldn't be storing this type of information in plaintext.

Ansible introduced Vault to help solve this very problem. Using Vault, we can encrypt the file and then when, Ansible is executed, it can be decrypted in memory and the content read.

To encrypt a file, we need to run the following command, providing a password that will be used to decrypt the file when prompted:

$ ansible-vault encrypt secrets.yml

The following screenshot shows the output for the preceding command:

As you can see from the output, you will be asked to confirm the password. Once encrypted, your file will look like the following:

$ANSIBLE_VAULT;1.1;AES256
32643164646266353962363635363831366431316264366261616238333237383063313035343062
6431336434356661646336393061626130373233373161660a363532316138633061643430353235
32343466613038663333383835633831363436343363613933626332383565663562366163393866
6532393661633762310a393935373533666230383063376639373831383965303461636433356365
64326162613637336630363733303732343065373233333263613538656361396163376165353237
30393265616630366134383830626335646338343739353638313264336638363338356136636637
623236653139386534613236623434626131

As you can see, the details are encoded using text. This makes sure that our secrets.yml file will still work without any problems with source control. You can view the content of a file by running:

$ ansible-vault view secrets.yml

This will ask you for the password and print the content of the file to the screen:

You can decrypt the file on disk by running:

$ ansible-vault decrypt secrets.yml

When using this command, please remember not to check the decrypted file into your source control system!

Since Ansible 2.4, it is now possible to encrypt a single variable in a file. Let's add some more variables to our file:

username: russmckendrick
password: "mypassword"
secretapikey: "myprivateapikey" 
packages:
   - httpd
   - php
   - mariadb

It would be good if we didn't have to keep viewing or decrypting our file to check the variable name and overall content of the file.

Let's encrypt the password content by running the following:

$ ansible-vault encrypt_string 'mypassword' --name 'password'

This will encrypt the mypassword string and give it a variable name of password:

We can then copy and paste the output into our file, repeat the process again for the secret-api-key, and we end up with the following:

username: "russmckendrick"
password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          30646136653066633833363837613162623765386561356334386463366338313164633737386534
          6536663537383830323636653235633662353933616331660a313962626530303961383234323736
          36393433313530343266383239663738626235393164356135336564626661303564343039303436
          6662653961303764630a346639663964373137366666383630323535663536623763303339323062
          3662
secretapikey: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          63613932313933336532303237373732386337663662656337623962313638313338333763396232
          3463303765303530323133323064346539653234343933330a656537646262633765353766323737
          32303633323166643664323133303336393161663838386632346336626535303466303863346239
          3764633164613862350a363830336633356233626631636266303632663335346234373034376235
          3836
packages:
  - "httpd"
  - "php"
  - "mariadb"

As you can see, that is a lot easier to read and is just as secure as encrypting the file as a whole. There is one last thing with Ansible Vault, and that is that you can also read the password from a file; for example, I have been encoding my Vaults using the password of password. Let's put that in a file and then use it to unlock our Vault:

$ echo "password" > /tmp/vault-file

As you can see in the following playbook.yml file, we are reading the secrets.yml file and then outputting the content using the debug module:

---

- hosts: localhost

  vars_files:
    - secrets.yml

  tasks:
    - debug:
        msg: "The username is {{ username }} and password is {{ password }}, also the API key is {{ secretapikey }}"
    - debug:
        msg: "I am going to install {{ packages }}"

Run the playbook.yml file using the following command:

$ ansible-playbook playbook.yml

This results in an error message shown in the Terminal output:

As you can see, it is complaining that it found Vault-encrypted data in our file, but we haven't provided the secret to unlock it. Running the following command will read the content of /tmp/vault-file and decrypt the data:

$ ansible-playbook --vault-id /tmp/vault-file playbook.yml

As you can see from the following playbook run, the output is now as we expect:

If you prefer to be prompted for the password, you can also use:

$ ansible-playbook --vault-id @prompt playbook.yml

You can find a copy of playbook.yml and secrets.yml in the Chapter03 folder of the accompanying repository.