Handle sensitive data in Ansible
by sij /
First we need a file, which contains the secrets. In my example the file is calles “secrets_demo.enc” and contains originally the following content:
sql_root_pw: Sup3rStr0ng
another_sql_pw: notThatSecure
This file needs to be encrypted by ansible vault:
ansible-vault encrypt secrets.enc
New Vault password:
Confirm New Vault password:
Encryption successful
Afterwrads, the file looks like the following:
$ANSIBLE_VAULT;1.1;AES256
33356535376533383633396561346461623262633966343334343133333738373534333066633964
6364633939363163366235353662306665323461313365340a303834373564656464343332373137
62633963323765343339643466366438376138663932623536663838326634323138633165343539
3435313930323831320a633633333534653634366464616635393864653066626337613234316237
32653461356565316161303234326562643966653236356338653364616364366235666434323537
36666636343534633530336235663335653438623961616238383334633036623735393266633865
623036353162613532336130316330343030
In ansible playbooks the passwords can be used like “{{ sql_root_pw }}”. But for the playbook to know this variables it needs to be called like this:
ansible-playbook -e secrets.enc --ask-vault-pass execute-setup.yaml
As you can see with the option “–ask-vault-pass” you will be prompted to enter your vaults password every time you run the playbook.
The fault can be edited:
ansible-vault edit secrets_demo.enc
Vault password:
Or even decrypted:
ansible-vault decrypt secrets_demo.enc
Vault password:
Afterwards you need of course to encrypt it again.