|
| 1 | +Encrypting sensitive data with Ansible Vault. |
| 2 | +Ansible Vault encrypts variables or files so, the sensitive data such as passwords or keys are not visible. |
| 3 | + |
| 4 | +In our example, we can see that the SSH password is visible in the group_vars file. Let's encrypt it. |
| 5 | + |
| 6 | +Inside the group_vars/routers.yml file, we have variables. Some variables, like the network_os and user_name, are not secret. |
| 7 | +Other variables, like the SSH password, is confidential. |
| 8 | + |
| 9 | +cat routers.yml |
| 10 | +--- |
| 11 | + |
| 12 | +#nonsensitive data |
| 13 | +ansible_network_os: ios |
| 14 | +ansible_user: ansible |
| 15 | + |
| 16 | +#sensitive data |
| 17 | +ansible_password: cisco123 |
| 18 | + |
| 19 | +We can make distinction between sensitive and nonsensitive variables using two methods. |
| 20 | +The first one is to split the variables between two files and encrypt the sensitive file. |
| 21 | + |
| 22 | +Step 1 - Create a vault-encrypted file within the directory that will live alongside the unencrypted routers.yml file. In this file, define the sensitive variables that used to be in the group_vars/routers.yml file. Use the same variable names, |
| 23 | +but prepend the string vault_ to indicate that these variables are defined in the vault-protected file. |
| 24 | + |
| 25 | +ansible-vault create vault |
| 26 | +New Vault password: |
| 27 | +Confirm New Vault password: |
| 28 | + |
| 29 | +vault yml file |
| 30 | + |
| 31 | +--- |
| 32 | +vault_ansible_password: cisco123 |
| 33 | + |
| 34 | + |
| 35 | +cat inventory/group_vars/routers/vault |
| 36 | + |
| 37 | +To view the contents of an encrypted file without editing it, you can use the ansible-vault view command as shown below. |
| 38 | + |
| 39 | +$ ansible-vault view vault |
| 40 | +Vault password: |
| 41 | +--- |
| 42 | + |
| 43 | +vault_ansible_password: cisco123 |
| 44 | + |
| 45 | + |
| 46 | +To edit an encrypted file in place, use the ansible-vault edit command. This command decrypts the file to a temporary file, allows you to edit the content, then saves and re-encrypts the content and removes the temporary file when you close the editor. |
| 47 | + |
| 48 | +Let's run the playbook again. |
| 49 | + |
| 50 | +The most straightforward way of decrypting content at runtime is to have Ansible prompt you for the appropriate credentials. You can do this by adding the --ask-vault-pass to any ansible or ansible-playbook command. |
| 51 | + |
| 52 | + ansible-playbook show_version.yml -i /etc/ansible/inventory/host-file --ask-vault-pass |
| 53 | +Vault password: |
0 commit comments