Ansible DevOps - Vaults
Stopped
VI - Ansible Vault
VI - Ansible Vault
1 - Overview
Ansible Vault is a feature of Ansible that allows us to protect sensitive data by encrypting playbooks such as data files, usernames, passwords or configurations.
If an Ansible playbook is encrypted, even an Ansible administrator cannot read a playbook without providing the correct password.
Sometimes we need access to sensitive data (API keys, passwords, etc) in our playbook. Ansible provides Ansible Vault to help us in these cases. Storing variables in the clear is considered a security risk, so we can use the ansible-vault command to encrypt and decrypt secrets.
Once secrets are encrypted with a password of your choice, you can place them safely within a source code manager , in your code repositories. Ansible Vault protects only _"data at rest"_. Once the secrets are decrypted, it is our responsibility to handle them carefully and not accidentally disclose them.
We have the ability to encrypt variables or files. Encrypted variables are decrypted on demand only when needed, while encrypted files are always decrypted, as Ansible does not know in advance if it needs their contents.
2 - Managing sensitive data
To create a new encrypted file:
ansible-vault create myfile.yaml
You need to enter the password vault for the file encryption. Then an editor will launch to add our content to be encrypted:
New Vault password:
Confirm New Vault password:
Let's then verify the created file:
cat myfile.yaml
We get this as output:
$ANSIBLE_VAULT;1.1;AES256
30333037626665393664653264386236313938313665386336323834313261363763313563306432
3739666563373432663436303131393536313933333362370a323738323963383431376130383135
34386464313365373165326330353431643838333636386561323834323131313637643330333066
6661626537383162340a343132656130353033666238663236363766343065653832356130323166
3238
It is also possible to encrypt existing files with the encrypt command:
ansible-vault encrypt myfile.yaml
To display an encrypted file:
ansible-vault view myfile.yaml
To modify an encrypted file, we use the edit command to temporarily decrypt the file:
ansible-vault edit myfile.yaml
The rekey command allows you to change the password of an encrypted file:
ansible-vault rekey myfile.yaml
We get this as output:
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful
If you need to decrypt a file, you can do so with the decrypt command and you will need to provide your password:
ansible-vault decrypt myfile.yaml
We get this as output:
Vault password:
Decryption successful
We can provide the vault password when running our playbooks by passing it with the -vault-password-file option.
We can also do this with the ask-vault-pass option which allows us to provide the Vault password interactively.
Guided exercise
We want to secure the group_vars/production.yaml file by encrypting the contents. We will need to rerun the playbook from the previous exercise install_wordpress.yaml by providing the password interactively in order to run our playbook.
As a reminder, the contents of the group_vars/production.yaml file are as follows:
ansible_user: datascientest
ansible_ssh_private_key_file: ~/.ansible/key.pem
ansible_become_pass: Datascientest2024
Code the statement file to protect the passwords.
Now we can check the contents of our file:
$ANSIBLE_VAULT;1.1;AES256
36353563613436326163313932343165623830353731623061636264333238333062636536643935
3733346234613136363735313666303037333762316431620a383632323838306561306130326139
63373033633439306338323530353934633138656262633834333838323536653061343836306438
3766656464373839340a313933316431333661626539313236616565666237346230646164313633
35373331633137383266636664393936313863613733616430356635306263363032623535306261
37666130313730393931343838613163626665333232306336633134366435383631616430363731
32616135393337633565323064636534633133353261623830303361663764663139353764343634
38363036323961366537396232623433346463333931663732653865316137333931613165366365
33656462623830663061636334613432333836336435613532336337323432326631
Run the playbook.
