Vault

We will use ansible vault to encrypt all of our sensitive information AND to make sure our playbooks stay automated. I’m not saying this is the only way but this is how I keep my playbooks automated without having to enter any credentials.

Let’s create a new master ansible-vault key, this will be stored as a hidden file within your home directory

vim .vault.key

s3cr3T1

From the ansible.cfg in Module 1, we’ll now un-comment the vault_password_file directive

 vim ansible.cfg

 [defaults]
 Host_key_checking = False
 Log_path = ~/ansible_lab
 vault_password_file = .vault.key

Now you may create new files by using ansible-vault create <filename>, this will create the new file and open vim. This new file will use the passphrase from our previously generated file .vault.key

To encrypt an existing file ansible-vault encrypt <filename> and you will be prompted for the new passphrase

Note

If you configure the vault_password_file this will automatically be used as the passphrase and you will NOT be prompted

Some useful vault commands:

ansible-vault edit <filename> will decrypt and open the file in vim
ansible-vault decrypt <filename> returns file to plain-text status
ansible-vault re-key <filename> to assign a new passphrase to the file, again see Note above on vault_password_file

Experimentation

Now let’s build a playbook and a encrypted file to show vault in action vim vault_play.yml

vault_play.yml
---
- hosts: all
  connection: local

  tasks:

  - name: Debug variables
    ansible.builtin.debug:
        msg:
          - "{{ \"This is var1: \" + var1 }}"
          - "{{ \"This is var2: \" + var2 }}"

And now for the file we will encrypt ansible-vault create vault_test.yml

vault_test.yml
---
var1: "is var one"
var2: "is var two"

Let’s view our newly created and enccryted file cat vault_test.yml

../_images/ansibleVault.png

Fig 3

Now to run our play we will use the below command, calling our localhost as the only inventory member, our vault_play.yml play file and passing in the external -e vault file @vault_test.yml

ansible-playbook -i "localhost," vault_play.yml -e "@vault_test.yml"
../_images/vault_play.png

Fig 4

Playbooks

Now that some basics are covered with vault, I will cover how to implement vault with automated playbooks.

Create a become sudo password file to encrypt, remember that this is a YAML file and vault will expect the file to be in a dictionary format key: value

vim pass.yml

1 ---
2 sudo_become: "S3creT!"

Standard playbook call without vault, from Module 1 the -b switch is for Become and the -K is ask for password. Not very automated at all if you have to sit at the keyboard

ansible-playbook -i inventory someplay.yml -b -K

With ansible vault and a modification to your inventory file like below. Notice my KVM Hypervisor group [kvm_hv] has a hostvar association [kvm_hv:vars]. Let’s evaluate our playbook again

Inventory host variable:

[kvm_hv]
localhost

[kvm_hv:vars]
ansible_become_pass="{{ sudo_become }}"

Ansible Play:

ansible-playbook -i inventory someplay.yml -e "@pass.yml"