How to use Ansible Vault to Protect Ansible Playbooks

This post explains you about Ansible Vault. End of this document, you will be able to understand, what is ansible vault, how to encrypt the Ansible playbooks, how to decrypt it, how to view and edit if required, also will explain you how to reset a new Ansible vault password.
In the previous posts, we have explained the below topics. Refer those links to understand this topic from basics.

1. What is Ansible, How Ansible works, Ansible Introduction, Ansible Basic Tutorials
2. Ansible Inventory Introduction - Ansible Beginner Tutorials
3. Ansible Ad hoc Commands - Ansible Tutorial for Beginners
4. Managing Ansible Configuration Files Explained with Examples
5. Understanding Ansible Playbook - Write your First Playbook
6. Ansible Roles Explained with Examples - Ansible Tutorials
7. How to use Ansible Vault to Protect Ansible Playbooks

Lets get started.

What is Ansible Vault?

Ansible Vault to Protect Ansible Playbooks with Encryption

Ansible Vault is a feature of ansible which allow us to protect the sensitive data with encryption in a playbooks such as data files, usernames, passwords, configurations.

If any ansible playbook is encrypted, even a ansible administrator cannot read a playbook with any editors without providing a valid vault password. Its not publicly visible.

Lets take an example playbook.

Also Watch this "Ansible Vault" Tutorial video demo on our YouTube Channel.

Below ansible playbook is used for user creation which has Username, Password and Agreement to be copied to the home direcory are specified clearly. So anybody can view this information.
[root@learnitguide.net ansible]# cat users.yml
---
- hosts: clients
  tasks:
  - name: Adding Users
    user:
     name: john
     password: john@123
     comment: "John Ben"
     shell: /bin/bash
     group: apache
     createhome: yes
     home: /home/john
  - name: Copying Confidential Agreement
    copy:
     content: "Its a Confidential Agreement between an Employee & Employer new\n"
     dest: /home/john/Agreement
Lets see how to encrypt with Ansible Vault to protect the sensitive data and see what is happening after encryption.

How to encrypt the Ansible Playbook

Use the option "encrypt" along with ansible-vault command. Enter the vault password twice you wish to set for the particular playbook users.yml, this password is only for this file.
[root@learnitguide.net ansible]# ansible-vault encrypt users.yml
New Vault password:
Confirm New Vault password:
Encryption successful
Yes, "users.yml" is encrypted.

Now, if anyone try to open the protected file with any normal editors, they cannot be readable by the users. because its encrypted.
[root@learnitguide.net ansible]# cat users.yml
$ANSIBLE_VAULT;1.1;AES256
61663736643362356533646434663830356534646435373164626230633436396666646332393538
3333353735356363663237323034336465633939346536330a313435666439323936306435313830
33313736303432303463636137623064626238333434613037346538663332383663363431613465
3236633939613836360a323335303263626163303532626334663530316137636535313834613237
So Once any playbook is encrypted with ansible-vault command, you have to use the ansible vault command to manage the encrypted file as below.

How to view the encrypted playbook file?
[post_ad]
Use the "view" option along with ansible-vault command and enter the vault password.
[root@learnitguide.net ansible]# ansible-vault view users.yml
Vault password:
---
- hosts: clients
  tasks:
  - name: Adding Users
    user:
     name: john
     password: john@123
     comment: "John Ben"
     shell: /bin/bash
     group: apache
     createhome: yes
     home: /home/john
  - name: Copying Confidential Agreement
    copy:
     content: "Its a Confidential Agreement between an Employee & Employer new\n"
     dest: /home/john/Agreement
How to edit the encrypted playbook file?
[post_ad1]
Use the "edit" option along with ansible-vault command and enter the vault password. This will use your default editor set in your user environment.
[root@learnitguide.net ansible]# ansible-vault edit users.yml
Vault password:
Once you have done the changes, save and exit from the file.

How to run a encrypted ansible playbook file?
If a playbook is encrypted, We cannot run a ansible-playbook as we do normally. Else you would get an error as below.
[root@learnitguide.net ansible]# ansible-playbook users.yml
ERROR! Attempting to decrypt but no vault secrets found
Instead, we can use use the argument "--ask-vault-pass" to provide the vault password or Save your vault password in a file and call the vault password file using the argument "--vault-password-file".

1. Using the arguement "--ask-vault-pass"
[root@learnitguide.net ansible]# ansible-playbook users.yml --ask-vault-pass
Vault password:
Enter the vault password when it prompts to run the ansible playbook.

2. Using the arguement "--vault-password-file"
Before run, save your vault password in a file and run the playbook again.
[root@learnitguide.net ansible]# cat vault-passwd
redhat
Vault password is stored in a file called vault-passwd.
[root@learnitguide.net ansible]# ansible-playbook users.yml --vault-password-file /root/ansible/vault-passwd
This time vault password will be taken from the file you have provided, hence it wont prompt you to enter the vault passwd.

If you are not allowed to store the password in clear format, then use only "--ask-vault-pass" arguement.

How to change the existing vault password?

Use the "rekey" option along with ansible-vault command. Enter the old vault password and enter the new password twice.
[root@learnitguide.net ansible]# ansible-vault rekey users.yml
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful
New vault password is set

How to decrypt the protected ansible playbook file?

Use the "decrypt" option along with ansible-vault command,
[root@learnitguide.net ansible]# ansible-vault decrypt users.yml
Vault password:
Decryption successful
Now the playbook is decrypted.

Hope you have got an idea about Ansible vault to protect the sensitive data.
keep pracice and have fun. ansible vault, ansible vault explained, create ansible vault, how to protect ansible playbooks, what is ansible vault, how to use ansible vault, understanding ansible vault, ansible vault examples, ansible vault with examples, ansible vault best practices, ansible vault guide
Support Us: Share with your friends and groups. ansible vault how to, ansible vault explained with examples, playbook vault, encrypt ansible playbooks, creating ansible vault, how does ansible vault works, ansible vault tutorial, ansible vault directory structure, ansible vault examples, 
Stay connected with us on social networking sites, Thank you.
Youtube Channel : https://www.youtube.com/learnitguide
Facebook : http://www.facebook.com/learnitguide
Twitter : http://www.twitter.com/learnitguide
Pinterest : http://www.pinterest.com/learnitguide
RSS : http://feeds.feedburner.com/learnitguide
ansible vault path, ansible best practice, ansible galaxy, ansible vault youtube, ansible vault training, ansible vault beginners, ansible vault beginners tutorial

No comments

Powered by Blogger.