Ansible/Vaults: Difference between revisions
From charlesreid1
(Created page with "Ansible Vaults are ways of storing encrypted, sensitive data like passwords or keys. The encrypted data can be stored in (e.g.) a Github repo, and only decrypted by Ansible....") |
|||
| (5 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Ansible Vaults are ways of storing encrypted, sensitive data like passwords or keys. | Ansible Vaults are ways of storing encrypted, sensitive data like passwords or keys. | ||
Link: https://docs.ansible.com/ansible/latest/user_guide/vault.html | |||
To use, call | ==How does it work== | ||
To use ansible vault, you execute a command to tell ansible you want to create a vault (an encrypted chunk of plain text). | |||
Ansible prompts you for a password, then opens a text editor, where you enter your sensitive information. This way, your sensitive information will only exist in a temporary buffer. When you are done editing, you save and close, and the file is automatically encrypted before being written to disk. | |||
This encrypted data can be stored in a public place, as it can only be decrypted with the appropriate passphrase. | |||
Side note: this is a useful guide: https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data-on-ubuntu-16-04 | |||
==Basic Usage== | |||
There are actually two ways to use encrypted variables: one is to create a standalone vault file; the other is to embed encrypted variables directly in yaml files. | |||
We cover both methods below. | |||
===Standalone Vault File=== | |||
To create a vault, call <code>ansible-vault create foo.yml</code> | |||
This will prompt you for a password | |||
To edit a vault, call <code>ansible-vault edit foo.yml</code> | |||
To view a vault, call <code>ansible-vault view foo.yml bar.yml baz.yml</code> | |||
===Encrypted data embedded in yaml=== | |||
To embed encrypted data directly into yaml, use the command line to encrypt a string, then copy and paste into the yaml file. | |||
In the following command lines, the <code>--vault-id a_password_file</code> bit just specifies that | |||
<pre> | |||
ansible-vault encrypt_string --vault-id a_password_file 'foobar' --name 'the_secret' | |||
^^^^^^^^^^^ ^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^ ^^^^^^ ^^^^^^^^^ | |||
the command the action name of a file secret value secret key | |||
containing just | |||
plaintext password | |||
</pre> | |||
==Using a playbook with vault encrypted data== | |||
Example of a call to a playbook that uses vault-encrypted data: | Example of a call to a playbook that uses vault-encrypted data: | ||
| Line 22: | Line 64: | ||
ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt ansible-playbook site.yml | ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt ansible-playbook site.yml | ||
</pre> | </pre> | ||
==Flags== | |||
{{AnsibleFlag}} | |||
Latest revision as of 20:18, 8 December 2018
Ansible Vaults are ways of storing encrypted, sensitive data like passwords or keys.
Link: https://docs.ansible.com/ansible/latest/user_guide/vault.html
How does it work
To use ansible vault, you execute a command to tell ansible you want to create a vault (an encrypted chunk of plain text).
Ansible prompts you for a password, then opens a text editor, where you enter your sensitive information. This way, your sensitive information will only exist in a temporary buffer. When you are done editing, you save and close, and the file is automatically encrypted before being written to disk.
This encrypted data can be stored in a public place, as it can only be decrypted with the appropriate passphrase.
Side note: this is a useful guide: https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data-on-ubuntu-16-04
Basic Usage
There are actually two ways to use encrypted variables: one is to create a standalone vault file; the other is to embed encrypted variables directly in yaml files.
We cover both methods below.
Standalone Vault File
To create a vault, call ansible-vault create foo.yml
This will prompt you for a password
To edit a vault, call ansible-vault edit foo.yml
To view a vault, call ansible-vault view foo.yml bar.yml baz.yml
Encrypted data embedded in yaml
To embed encrypted data directly into yaml, use the command line to encrypt a string, then copy and paste into the yaml file.
In the following command lines, the --vault-id a_password_file bit just specifies that
ansible-vault encrypt_string --vault-id a_password_file 'foobar' --name 'the_secret'
^^^^^^^^^^^ ^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^ ^^^^^^ ^^^^^^^^^
the command the action name of a file secret value secret key
containing just
plaintext password
Using a playbook with vault encrypted data
Example of a call to a playbook that uses vault-encrypted data:
ansible-playbook site.yml --ask-vault-pass
Alternative that uses a file containing the password:
ansible-playbook site.yml --vault-password-file ~/.vault_pass.txt
Third alternative is to use an environment variable:
ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt ansible-playbook site.yml
Flags
