Skip to main content

ansible vault

create a vault file

$ ansible-vault create test
New Vault password: 
Confirm New Vault password: 
:
:

$ ansible-vault view test
Vault password: 
test

$ cat test 
$ANSIBLE_VAULT;1.1;AES256
34373931643530353734633238383738363430616366366463653631316362353730613165316464
3834656662626430306662333038656263613139373036640a303131396539353663383932323133
63316564623264323434326138623737326463633830623465373131646134616662363565656132
3165616239303564330a646436643339303665336333363530346636666339643561336565393434
3766

We can use vault-id option for password instead of stdin.

$ ansible-vault view --vault-id test@prompt test
Vault password (test): 
test

$ cat vaultpass.test 
password

$ ansible-vault view --vault-id test@vaultpass.test test
test

We can also encrypt/decrpt any file

$ ansible-vault decrypt --vault-id test@vaultpass.test test
Decryption successful

$ cat test 
test

$ ansible-vault encrypt --vault-id test@vaultpass.test test
Encryption successful

example for encrypt var file.

$ cat ./roles/test/vars/main.yml 
target: ansible_os_family

$ ansible-vault encrypt --vault-id test@vaultpass.test ./roles/test/vars/main.yml 
Encryption successful

$ cat ./roles/test/vars/main.yml 
$ANSIBLE_VAULT;1.2;AES256;test
33653839336162646466373262663965636561366464643634643431633639343437633166636137
3236636535383832383932353865396630313266366264360a363134333532393038396561323137
30643734663961363561666461326362373035623131663637383636346633393737636234316163
3463663838626334660a616564343730343561656335343534353161666430313731376631623634
65643135323666303430616331666165656131373639393936333731626131653764

ansible-playbook example using encrypted file.

$ cat ./roles/test/tasks/main.yml 
- name: print ansible facts
  debug:
    var: "{{ target }}"

$ cat hosts 
[test]
localhost ansible_connection=local

$ ansible-playbook -i hosts --vault-id test@vaultpass.test --list-tasks test.yml 

playbook: test.yml

  play #1 (test): ansible vault test    TAGS: []
    tasks:
      test : print ansible facts    TAGS: []


$ ansible-playbook -i hosts --vault-id test@vaultpass.test test.yml 

PLAY [ansible vault test] *****************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************
ok: [localhost]

TASK [test : print ansible facts] *********************************************************************************************
ok: [localhost] => {
    "ansible_os_family": "Debian"
}

PLAY RECAP ********************************************************************************************************************
localhost                  : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0