Ansible Vault

I've been reluctant to start using Ansible Vault because it meant having another password to manage, but if you have secrets (API keys and the like) that need to be deployed and your code is saved in a repository (even a company-only repo), Vault is a good option to keep your secrets hidden.

You may be better served by reading , Ansible's very good documentation on the subject. What follows is a condensation of the commands and the relatively simple methodology I've settled on for a mostly hands-off way of dealing with new passwords.

$ ansible-vault create crypt.yml

This creates a new encrypted (AES256, shared secret) file, and opens it to edit with $EDITOR after prompting you for a password. So it's a good idea to add something like:

# in your ~/.bashrc and/or ~/.profile
export EDITOR=nvim

I'm a dedicated fan of Neovim but you may want to use vim, emacs, or - god forbid - nano.

To edit the file after it's created:

$ ansible-vault edit crypt.yml

Note that once the file is encrypted, the only way to edit it is with this command: you'll be reminded if you try to open it with a regular $EDITOR command, as you'll see encryption preamble and a very long string of digits.

So what goes in crypt.yml? Whatever you want, including entire tasks. Its main purpose is to allow secrets to be committed to a version control system without making them publicly available - only the people who need to deploy the secrets will have the ansible-vault key. I get the impression that generally you encrypt just enough to include secrets:

# tasks/main.yml ... an unencrypted file

- name: get encrypted variables
  include_vars: crypt.yml

- debug: "{{ super_secret_1 }}"
# tasks/crypt.yml ... our ansible-vault-encrypted file

super_secret_1: "secret encrypted var #1"
super_secret_2: "secret encrypted var #2"

I really don't want to have to remember or go digging for another password every time I run a playbook. Happily, the Ansible set of tools will read the password from a file placed in an environment variable. export ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible-vault/vault.txt, where ~/.ansible-vault/vault.txt contains just the password you were prompted for when you created your crypted file. I would strongly recommend running chmod 600 ~/.ansible-vault/, and also be sure that you're not committing that folder to a repository. Now this file gets transferred to the computers of those on your team who need it.

A further refinement I'm using is to only export ANSIBLE_VAULT_PASSWORD_FILE=... as part of a deploy script (a shell script wrapper around an ansible-playbook call), so that the password is part of a specific Ansible project rather than a universal password. It's my intent to have multiple files in ~/.ansible-vault/, each tied to a project.

$ ansible-vault --help
Usage: ansible-vault [create|decrypt|edit|encrypt|rekey|view] [--help] [options] vaultfile.yml

  --ask-vault-pass      ask for vault password
  -h, --help            show this help message and exit
                        new vault password file for rekey
  --output=OUTPUT_FILE  output file name for encrypt or decrypt; use - for
                        vault password file
  -v, --verbose         verbose mode (-vvv for more, -vvvv to enable
                        connection debugging)
  --version             show program's version number and exit
ERROR! Missing required action

The subcommand encrypt can be used to encrypt an existing file. Similarly, decrypt decrypts a file you no longer wish to have encrypted. rekey is, not surprisingly, for changing the password on an encrypted file.