Ansible VaULt
Ansible VaULt
B JMSTechHome +91-8884807341
Ansible Vault is a feature that allows users to encrypt values and data structures within Ansible
projects. This provides the ability to secure any sensitive data that is necessary to successfully
run Ansible plays but should not be publicly visible, like passwords or private keys. Ansible
automatically decrypts vault-encrypted content at runtime when the key is provided.
Vault is implemented with file-level granularity, meaning that files are either entirely encrypted
or unencrypted. It uses the AES256 algorithm to provide symmetric encryption keyed to a user-
supplied password. This means that the same password is used to encrypt and decrypt content,
which is helpful from a usability standpoint. Ansible is able to identify and decrypt any vault-
encrypted files it finds while executing a playbook or task.
To create a new file encrypted with Vault, use the ansible-vault create command. Pass in the
name of the file you wish to create. For example, to create an encrypted YAML file called
vault.yml to store sensitive variables.
Enter the password and it will ask confirm password after it will open editor write some
sensitive data in the file..By default vi/vim editor. Once you write data and save the file ansible
will encrypt the contents when you close the file. If you check the file, instead of seeing the
words you typed, you will see an encrypted block:
$ cat vault.yml
Madhu Sudhan Reddy Y.B JMSTechHome +91-8884807341
We can see some header information that Ansible uses to know how to handle the file,
followed by the encrypted contents, which display as numbers.
If you already have a file that you wish to encrypt with Vault, use the ansible-vault encrypt
command instead.
Again, you will be prompted to provide and confirm a password. Afterwards, a message will
confirm the encryption:
Instead of opening an editing window, ansible-vault will encrypt the contents of the file and
write it back to disk, replacing the unencrypted version.
$ cat newfile.txt
Madhu Sudhan Reddy Y.B JMSTechHome +91-8884807341
Sometimes, you may need to reference the contents of a vault-encrypted file without needing
to edit it or write it to the filesystem unencrypted. The ansible-vault view command feeds the
contents of a file to standard out. By default, this means that the contents are displayed in the
terminal.
It will be asked for the file's password. After entering it successfully, the contents will be
displayed:
As you can see, the password prompt is mixed into the output of file contents. Keep this in
mind when using ansible-vault view in automated processes.
When you need to edit an encrypted file, use the ansible-vault edit command:
You will be prompted for the file's password. After entering it, Ansible will open the file an
editing window, where you can make any necessary changes.
Upon saving, the new contents will be encrypted using the file's encryption password again and
written to disk.
Note: the ansible-vault decrypt command is only suggested for when you wish to remove
encryption from a file permanently. If you need to view or edit a vault encrypted file, it is
usually better to use the ansible-vault view or ansible-vault edit commands, respectively.
Madhu Sudhan Reddy Y.B JMSTechHome +91-8884807341
You will be prompted for the encryption password for the file. Once you enter the correct
password, the file will be decrypted:
If you need to change the password of an encrypted file, use the ansible-vault rekey command:
The most straightforward way of decrypting content at runtime is to have Ansible prompt you
for the appropriate credentials. You can do this by adding the --ask-vault-pass to any ansible or
ansible-playbook command. Ansible will prompt you for a password which it will use to try to
decrypt any vault-protected content it finds.
3. Create a sensitive data under var section its should be key value pairs like name: madhu
4. Now we are going to encrypt the data using ansible-vault encrypt. It will ask password
and confirm password. we should be remember this password.
[root@ip-172-31-18-141 vars]# ansible-vault encrypt main.yml
5. Create a playbook based on requirement. And read the key from sensitive data like {{
usename }} .
$ cat roles/mail/vars/main.yml
---
username: madhu
Now after written sensitive data you can encrypt using ansible-vault encrypt command.
Madhu Sudhan Reddy Y.B JMSTechHome +91-8884807341
---
debug:
---
- hosts: nodes
become: yes
gather_facts: False
roles:
Here it will ask your vault password you need to enter your password.
Then check output.
Madhu Sudhan Reddy Y.B JMSTechHome +91-8884807341
Password:
---
become: root
hosts: nodes
tasks:
register: login
- debug:
- debug:
mail:
host: smtp.gmail.com
port: 587
secure: starttls
charset: utf-8
sender: ballalallallal
username: ballalallallal
password: ballalallallal
to: ballalallallal
subject: Ansible-report