Ansible - Encrypting Sensitive Data with Vault

Ansible - Encrypting Sensitive Data with Vault

Ansible Vault is a feature within Ansible that allows you to keep sensitive data such as passwords, API keys, and certificates encrypted within your playbooks. This ensures that your sensitive information is not exposed in plaintext.

Step 1: Test Connection to Hosts

First, ensure you can connect to your hosts using Ansible:

ansible all -i inventory.ini -m ping

Step 2: Create a Vault File

Next, create a YAML file to store your sensitive data:

vi vault.yaml

Add your variables (e.g., username and password) inside this file:

You can check the content of the file with:

cat vault.yaml

Step 3: Create a Playbook

Create a playbook (pass.yaml) that references the vault file:

vi pass.yaml

Include the following content in your playbook:

- hosts: all
  remote_user: ubuntu
  become: yes
  vars_files:
    - vault.yaml

  tasks:
    - name: Trying out echo command
      debug:
        msg: "Hello my username is {{ username }} & pass is {{ password }}"

Step 4: Run the Playbook

Run the playbook to verify that it works with the variables from the vault file:

 ansible-playbook -i inventory.ini pass.yaml

Step 5: Encrypt the Vault File

To protect your sensitive data, encrypt the vault.yaml file:

ansible-vault encrypt vault.yaml

You can check that the file is encrypted by running:

cat vault.yaml

Step 6: Run the Playbook with Encrypted Vault

Even with the vault file encrypted, you can still run your playbook as usual:

 ansible-playbook -i inventory.ini pass.yaml

Alternatively, if you want to be prompted for the vault password at runtime, use:

ansible-playbook -i inventory.ini pass.yaml --ask-vault-password

Step 7: View the Encrypted Vault

If you need to view the contents of the encrypted vault, use:

ansible-vault view vault.yaml

Step 8: Decrypt the Vault File

To decrypt the vault file, run:

ansible-vault decrypt vault.yaml

Finally, verify the decryption by checking the content of the file:

cat vault.yaml

Conclusion

Following these steps, you can effectively use Ansible Vault to manage and secure sensitive data in your playbooks.