Ansible Vault is a feature within Ansible that allows you to keep sensitive data such as passwords, API keys, and certificates encrypted within your playbooks. This ensures that your sensitive information is not exposed in plaintext.
Step 1: Test Connection to Hosts
First, ensure you can connect to your hosts using Ansible:
ansible all -i inventory.ini -m ping
Step 2: Create a Vault File
Next, create a YAML file to store your sensitive data:
vi vault.yaml
Add your variables (e.g., username
and password
) inside this file:
You can check the content of the file with:
cat vault.yaml
Step 3: Create a Playbook
Create a playbook (pass.yaml
) that references the vault file:
vi pass.yaml
Include the following content in your playbook:
- hosts: all
remote_user: ubuntu
become: yes
vars_files:
- vault.yaml
tasks:
- name: Trying out echo command
debug:
msg: "Hello my username is {{ username }} & pass is {{ password }}"
Step 4: Run the Playbook
Run the playbook to verify that it works with the variables from the vault file:
ansible-playbook -i inventory.ini pass.yaml
Step 5: Encrypt the Vault File
To protect your sensitive data, encrypt the vault.yaml
file:
ansible-vault encrypt vault.yaml
You can check that the file is encrypted by running:
cat vault.yaml
Step 6: Run the Playbook with Encrypted Vault
Even with the vault file encrypted, you can still run your playbook as usual:
ansible-playbook -i inventory.ini pass.yaml
Alternatively, if you want to be prompted for the vault password at runtime, use:
ansible-playbook -i inventory.ini pass.yaml --ask-vault-password
Step 7: View the Encrypted Vault
If you need to view the contents of the encrypted vault, use:
ansible-vault view vault.yaml
Step 8: Decrypt the Vault File
To decrypt the vault file, run:
ansible-vault decrypt vault.yaml
Finally, verify the decryption by checking the content of the file:
cat vault.yaml
Conclusion
Following these steps, you can effectively use Ansible Vault to manage and secure sensitive data in your playbooks.