Ansible/Vaults: Difference between revisions
From charlesreid1
No edit summary |
No edit summary |
||
| Line 11: | Line 11: | ||
This encrypted data can be stored in a public place, as it can only be decrypted with the appropriate passphrase. | This encrypted data can be stored in a public place, as it can only be decrypted with the appropriate passphrase. | ||
==Basic Usage== | |||
There are actually two ways to use encrypted variables: one is to create a standalone vault file; the other is to embed encrypted variables directly in yaml files. | |||
We cover both methods below. | |||
== | ===Standalone Vault File=== | ||
To create a vault, call <code>ansible-vault create foo.yml</code> | |||
This will prompt you for a password | |||
To edit a vault, call <code>ansible-vault edit foo.yml</code> | |||
===Using a playbook with vault encrypted data | To view a vault, call <code>ansible-vault view foo.yml bar.yml baz.yml</code> | ||
===Encrypted data embedded in yaml=== | |||
To embed encrypted data directly into yaml, use the command line to encrypt a string, then copy and paste into the yaml file. | |||
In the following command lines, the <code>--vault-id a_password_file</code> bit just specifies that | |||
<pre> | |||
ansible-vault encrypt_string --vault-id a_password_file 'foobar' --name 'the_secret' | |||
</pre> | |||
==Using a playbook with vault encrypted data== | |||
Example of a call to a playbook that uses vault-encrypted data: | Example of a call to a playbook that uses vault-encrypted data: | ||
Revision as of 20:09, 6 December 2018
Ansible Vaults are ways of storing encrypted, sensitive data like passwords or keys.
Link: https://docs.ansible.com/ansible/latest/user_guide/vault.html
How does it work
To use ansible vault, you execute a command to tell ansible you want to create a vault (an encrypted chunk of plain text).
Ansible prompts you for a password, then opens a text editor, where you enter your sensitive information. This way, your sensitive information will only exist in a temporary buffer. When you are done editing, you save and close, and the file is automatically encrypted before being written to disk.
This encrypted data can be stored in a public place, as it can only be decrypted with the appropriate passphrase.
Basic Usage
There are actually two ways to use encrypted variables: one is to create a standalone vault file; the other is to embed encrypted variables directly in yaml files.
We cover both methods below.
Standalone Vault File
To create a vault, call ansible-vault create foo.yml
This will prompt you for a password
To edit a vault, call ansible-vault edit foo.yml
To view a vault, call ansible-vault view foo.yml bar.yml baz.yml
Encrypted data embedded in yaml
To embed encrypted data directly into yaml, use the command line to encrypt a string, then copy and paste into the yaml file.
In the following command lines, the --vault-id a_password_file bit just specifies that
ansible-vault encrypt_string --vault-id a_password_file 'foobar' --name 'the_secret'
Using a playbook with vault encrypted data
Example of a call to a playbook that uses vault-encrypted data:
ansible-playbook site.yml --ask-vault-pass
Alternative that uses a file containing the password:
ansible-playbook site.yml --vault-password-file ~/.vault_pass.txt
Third alternative is to use an environment variable:
ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt ansible-playbook site.yml
Flags
