Secure Ansible Playbooks using Vault | Beginner Level Guide | Theory + Practical

Introduction

In this tutorial, we will explore how to secure sensitive information in Ansible Playbooks using Ansible Vault. This guide is designed for beginners and will cover the essential concepts and practical steps to encrypt, decrypt, edit, and view secrets effectively within your Ansible configurations.

Step 1: Install Ansible

Before you can use Ansible Vault, ensure that Ansible is installed on your system.

• For most Linux distributions, you can install Ansible using the package manager. For example:

  sudo apt update
  sudo apt install ansible
  

• For Mac users, you can install Ansible via Homebrew:

  brew install ansible
  

Step 2: Create a Vault Password File

To use Ansible Vault, you need a password file that stores your encryption password securely.

• Create a file to store your vault password, for example, vault_pass.txt.
• Store your desired password in this file:

  echo "your_secure_password" > vault_pass.txt
  

• Ensure that this file is secured with appropriate permissions:

  chmod 600 vault_pass.txt
  

Step 3: Encrypt a Variable with Ansible Vault

To secure sensitive variables, you will use the Ansible Vault command to encrypt them.

• Use the following command to create a new encrypted file:

  ansible-vault create secrets.yml --vault-password-file vault_pass.txt
  

• This command will open a text editor where you can input your sensitive variables. For example:

  api_key: "your_api_key"
  db_password: "your_db_password"
  

Step 4: View Encrypted Variables

To check the contents of your encrypted file without editing it, use the following command:

ansible-vault view secrets.yml --vault-password-file vault_pass.txt

Step 5: Edit an Encrypted File

If you need to change the contents of your encrypted file, you can do so with the edit command.

• Run the following command:

  ansible-vault edit secrets.yml --vault-password-file vault_pass.txt
  

• This will open the file in your default text editor, allowing you to modify the contents securely.

Step 6: Decrypt an Encrypted File

If you need to decrypt a vault file for any reason, use the following command:

ansible-vault decrypt secrets.yml --vault-password-file vault_pass.txt

• Be aware that this will remove the encryption, so ensure you have backups if necessary.

Step 7: Use Encrypted Variables in Playbooks

To utilize your encrypted variables in an Ansible Playbook, reference them as you would with any other variable.

• Here’s an example playbook that uses the encrypted variables:

  ---
  - hosts: all
    vars_files:
      - secrets.yml
    tasks:
      - name: Print API key
        debug:
          msg: "The API key is {{ api_key }}"
  

Conclusion

By following these steps, you can effectively secure your sensitive information in Ansible Playbooks using Ansible Vault. Remember to always protect your vault password file and only decrypt files when necessary. As next steps, consider experimenting with more advanced Ansible features, or explore other topics in the channel's playlists such as AWS and Terraform for further DevOps skills enhancement.