How to Use Ansible Vault to Protect Playbooks

Share via:

Dear Readers,

In this article,we will see How to Use Ansible Vault to Protect Playbooks.

What is Vault in Ansible?

  • Ansible Vault is a feature of ansible that allows you to keep sensitive data such as passwords or keys in             encrypted files, rather than as plain text in playbooks or roles.
  • This provides the ability to secure any secrets or sensitive data that is necessary to run Ansible plays                   successfully but should not be publicly visible, such as private keys or passwords.
  • Ansible automatically decrypts the vault-encrypted content at run time when the key is provided.
  • Ansible Vault is implemented with file-level granularity.
  • It means files are either entirely encrypted or unencrypted.
  • It uses the AES256 algorithm to provide symmetric encryption keyed to a user-supplied password.
  • This means the same password is used to encrypt and decrypt the content, which is helpful from a usability       standpoint.
  • Ansible can identify and decrypt any vault-encrypted files it finds while executing a task or playbook.

Steps to Follow

  1. Create a new Encrypted playbook “kt-vault.yml”.
  2. Edit the Encrypted playbook “kt-vault.yml”.
  3. Change the Vault password for the encrypted playbook “kt-vault.yml”.
  4. Decrypt the playbook “kt-vault.yml”.
  5. Encrypt Existing Playbook “kt-target.yml”.
  6. Decrypt the playbook “kt-target.yml”.
  7. Running a playbook “kt-tasks.yml” with Vault.

1. Create a new Encrypted playbook “kt-vault.yml”

To create a new playbook encrypted with Vault, use the ansible-vault create command and pass the playbook name.
You will be prompted to enter and confirm a password.
When you have confirmed your password, Ansible will immediately open an editing window where you can write code the save and exit.

Note
:wq! —– to quit.

The cookbook has been encrypted succussfully.

Test the Encrypted Playbook “kt-vault.yml”

I am trying to open Encrypted playbook “kt-vault.yml” by using cat command.
We are unable to see the content of playbook “kt-vault.yml” because Ansible will encrypt the content.

Note

we unable to edit/modify the playbook, because we have encrypted the playbook recently.
If you want to edit/modify the playbook, you should use below command and provide the password for that playbook.

2. Edit the Encrypted playbook “kt-vault.yml”

When you need to edit an encrypted file, use the ansible-vault edit command.
You’ll be prompted to insert the vault password.
The file(decrypted version) will open in a vi editor and then you can make the required changes. 

Note
:wq! —– to quit.

If you check the output, you’ll see your text will be encrypted automatically when you save and close

Test the Encrypted Playbook “kt-vault.yml”

Viewing Encrypted Playbook “kt-vault.yml”

If you wish to just view an encrypted file, you can use the ansible-vault view command.
Again you’ll be prompted for a password.

3. Change the Vault password for the encrypted playbook “kt-vault.yml”

Using ansible-vault rekey to change the vault password.
You’ll be prompted with the vault’s current password and then the new password and finally done by confirming the new password.

4. Decrypt the playbook “kt-vault.yml”

To decrypt a vault encrypted file, use the ansible-vault decrypt command.
You will be prompted for the encryption password for the file. Once you enter the correct password, the file will be decrypted:

Test the Decrypted Playbook “kt-vault.yml”

Using cat command to see the content of the Decrypted playbook “kt-vault.yml”

5. Encrypt Existing Playbook “kt-target.yml”

Using ansible-vault encrypt to encrypt the existing playbook.
Again, you will be prompted to provide and confirm a password. Afterwards, a message will confirm the encryption.

Test the Encrypted Playbook “kt-target.yml”

Using cat command to see the content of the encrypted playbook.

Viewing Encrypted Playbook “kt-target.yml”

If you wish to just view an encrypted file, you can use the ansible-vault view command.
Again you’ll be prompted for a password.

6. Decrypt the playbook “kt-target.yml”

To decrypt a vault encrypted file, use the ansible-vault decrypt command.
You will be prompted for the encryption password for the file. Once you enter the correct password, the file will be decrypted.

Test the Decrypted Playbook “kt-target.yml”

Using cat command to see the content of the Decrypted playbook “kt-vault.yml”

7. Running a playbook “kt-tasks.yml” with Vault

Using below command to running a playbook with the vault.

Thank you for giving your valuable time to read the above information.
Follow us on 
Website  www.ktexperts.com
Facebook Page KTexperts
Linkedin Page : KT EXPERTS

Share via:
Note: Please test scripts in Non Prod before trying in Production.
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Add Comment