Secrets¶

Secret variables are encrypted using Ansible Vault as a string or the entire file is encrypted. My preference is to encrypt files or strings using a vault password file.

Config¶

Set the vault_password_file variable in the ansible.cfg so you don't need to specify the file, --vault-password-file, with every command.

[defaults]
vault_password_file = ./.vault_pass

Vault Password File¶

To create a new vault password file, use the task init command:

task init

openssl rand -hex 64 > .vault_pass
chmod 600 .vault_pass

This will create a .vault_pass file in the root directory. This file should be kept secret and is used to encrypt/decrypt sensitive variables. The .vault_pass file is encrypted using SOPS.

To encrypt the .vault_pass file for later use:

task encrypt

sops -e .vault_pass > .vault_pass.enc

To decrypt the .vault_pass.enc file:

task decrypt

sops -d .vault_pass.enc > .vault_pass
chmod 600 .vault_pass

String¶

Encrypt a secret variable as a string to use in a playbook.

ansible-vault encrypt_string "long-token-secret" --name "token_secret"

Copy the output to a playbook to use the variable.

# password file .vault_pass
token_secret: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          63356539313533663964636139333037386262616239373638333136643834303631653139633437
          6562613738653338613134343635383639363237343833390a353364373034383664343661316339
          64333066646635396134323334336164633965373830666665353431326338363131386530383631
          3939643133346134300a393136636137326431303965353537386665323766313464666331333337
          62326331663361376632393331396439383666333739323766316432393761666561356266643938
          3165353364633639326632336539313466343531363431373465

File¶

Encrypt the secrets file using Ansible Vault.

ansible-vault encrypt "./inventory/group_vars/all.yaml"

Edit the secrets file.

task ve

ansible-vault edit "./inventory/group_vars/all.yaml"

References¶

• https://docs.ansible.com/ansible/latest/vault_guide/index.html