RHCA – Ansible Automation – Exam 407 – Use Ansible Vault in playbooks to protect sensitive data

Ansible vault allows for sensitive information to be stored encrypted within playbooks.

This section I recommend making some playbooks that uses vault. Such as make user and assign password. Store ssh key as ansible vault.

ansible vault – using external file:

# to encrypt file
ansible-vault encrypt <file>

# to edit file - this will use a vi to edit the file - will prompt for password
ansible-vault edit <file>

# to view the file
ansible-vault view <file>

# to decrypt file
ansible-vault decrypt <file>

# Example vault file:
usrName: greplog
## create password hash with:
## pip install passlib && python -c "from passlib.hash import sha512_crypt; import getpass; print(sha512_crypt.using(rounds=5000).hash(getpass.getpass()))" 
usrPass: $6$rXCmdaG602DrbL5u$jr.2icdj3a559OOaMHU4Q4rhwmwlj3pNG0ngdyEP9UOlVfH5Wa1aO2X7Wkr03uQ10ir8nAT0swECgQT4zudr2/

# To reference external file, secure, from playbook: 
- hosts: localhost
  - vault/secure
  - name: update user password
      name: "{{usrName}}"
      update_password: always
      password: "{{usrPass}}"

ansible vault – in-line:

# to encrypt a var in-line - will ask for input to enter your string  
ansible-vault encrypt_string -p -n SecretVar   

To run playbook that uses vault use:

## providing only a single vaule

# prompt for pass
ansible-playbook site.yml --ask-vault-pass
# uses password file
ansible-playbook site.yml --vault-password-file ~/.pwd

## to use specify multi vaults password files

# To run a play with encrypted file (prod and dev) with password prompt
ansible-playbook test.yml --vault-id prod@prompt --vault-id dev@prompt

Join the Conversation


Leave a comment

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax