Ansible Vault Cheat Sheet / Reference guide

Posted on 183 views

How do I encrypt sensitive data with Ansible Vault?, How to secure Ansible Playbooks with Vault?, How to use Ansible Vault on my projects?. This guide has been done as a reference guide/cheat sheet for Ansible enthusiasts using Vault to ensure data is encrypted and secured when working on Ansible Projects.

Ansible has proven to be the most used and Loved configuration management tool for Developers and SysAdmins of all classes. With more adoption arises security concerns. To keep your sensitive information such as passwords or private keys safe you need Vault. The vault-encrypted data is automatically decrypted at runtime.

Ansible is a requirement for this guide. Ensure Ansible is installed on your system, which provides ansible-vault command-line tool that we’ll use in this entire guide. Before you get started, set a default editor for Ansible Vault.

--- For Bash ---
$ echo "export EDITOR=vim" >> ~/.bashrc
$ source ~/.bashrc

--- For Zsh ---
$ echo "export EDITOR=vim" >> ~/.zshrc
$ source ~/.zshrc

Replace vim with your favorite editor.

Step 1: Install Ansible / Ansible Vault

The easiest way to Install Ansible on Linux and most Unix systems is via Ansible package manager – pip.

Install pip:

curl -o
python --user

Once pip has been installed, use it to install Ansible.

pip install --user ansible

Step 2: Using Ansible Vault

In this section, we’ll see many examples on how to use Ansible Vault. The ansible-vault command is used to manage encrypted content within Ansible. With it you createeditview and decrypt encrypted files.

Example 1: Create a new encrypted file

To create a new file that’s encrypted with Vault, use the create option and append the name of the file. For example, to create an encrypted YAML file called create_users.yml which will contain sensitive data, run:

$ ansible-vault create create_users.yml

You will be prompted to enter and confirm secure password:

New Vault password: 
Confirm New Vault password:

Ansible will then open an editing window for you to input your desired contents.

Example 2: Encrypt existing file

For existing files, use the ansible-vault encrypt command to set password.

$ echo "SecurePassword" > passwords.txt
$ ansible-vault encrypt passwords.txt
New Vault password: 
Confirm New Vault password: 
Encryption successful

This will replace the unencrypted file with encrypted one.

$ cat passwords.txt

Example 3: Edit encrypted file

To edit an encrypted file, use the command ansible-vault edit command.

$ ansible-vault edit passwords.yml

This will ask you to input file password.

Vault password:

Example 4: Update encryption password

You can always update encryption password by using the ansible-vault rekey command.

$ ansible-vault rekey create_users.yml
Vault password: 
New Vault password: 
Confirm New Vault password: 
Rekey successful

Input the old password and new one to set when prompted. Once updated, the file will be accessible using the new password.

Example 5: View Ansible encrypted file

You can view the contents of vault-encrypted file without opening window editor. For this you’ll use the command ansible-vault view .

$ ansible-vault view create_users.yml

You should be asked to input file password before contents can be displayed.

Vault password:
Secret information

Example 6: Decrypt Vault Encrypted Files

If you no longer need encryption, you can decrypt a vault encrypted file using the ansible-vault decrypt command.

$ ansible-vault decrypt myfile.yml

Provide encryption password for the file.

Vault password:
Decryption successful

You will be able to see the actual contents of the file after decryption.

Example 7: Execute Ansible with Vault-Encrypted Files

Once you encrypt your sensitive data, you obviously want to run an Ansible playbook which references encrypted data in some way. The ansible and ansible-playbook commands can decrypt vault-protected files if the correct password is provided.

Using password prompt

For playbook execution, pass the --ask-vault-pass flag.

$ ansible-playbook --ask-vault-pass .yaml

For Ansible greater or equals to 2.4, you can use –vault-id @prompt flag.

See example below.

$ ansible-playbook --ask-vault-pass -i hosts osp-pre.yml 
Vault password: 

PLAY [Run presetup on OSP nodes] ******************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************


$ ansible-playbook -i hosts osp-pre.yml --vault-id @prompt
Vault password (default): 

Using Password file

If you want to avoid interactive password prompt during playbook execution, then consider using Ansible Vault with a Password File.

Create password file.

$ echo 'MyStrongVaulPassword' > .ansible_vault_pass

For guys using Version Control systems such as git, consider adding the .ansible_vault_pass file to list of ignored files.

$ echo '.ansible_vault_pass' >> .gitignore

Now reference password file when running ansible or ansible-playbook command.

$ ansible --vault-password-file=.ansible_vault_pass ...
$ ansible-playbook --vault-password-file=.ansible_vault_pass ....


$ ansible-playbook --vault-password-file=.ansible_vault_pass -i hosts osp-pre.yml 

PLAY [Run presetup on OSP nodes] ******************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************

As seen above, there is no prompt to input password file.

Set ANSIBLE_VAULT_PASSWORD_FILE Environment variable

If you don’t like providing password flag or using interactive password prompt, you can configure Ansible to read the Password file automatically. This is achieved by setting the ANSIBLE_VAULT_PASSWORD_FILE environment variable with the path to the password file:

export ANSIBLE_VAULT_PASSWORD_FILE=./.ansible_vault_pass

To persist the configuration, set it in your local ansible.cfg file.

$ vim ansible.cfg

vault_password_file = ./.ansible_vault_pass

Ansible will use the configure password for all encrypt and create operations.

Example 8: Encrypt only sensitive variables

In ideal automation world with collaboration, you’ll only want to encrypt sensitive data such as Database passwords, API keys, user credentials e.t.c.

Create encrypted variables file.

$ vim vars/vault.yml
vault_db_pass: MyStrongPassword

$ ansible-vault encrypt vars/vault.yml
New Vault password: 
Confirm New Vault password: 
Encryption successful

Confirm it is encrypted.

$ cat vars/vault.yml 

We will then define other unencrypted Variables and reference encrypted in Vault Variables.

$ vim vars/plain.yml
db_user: computingforgeeks
db_port: 3306
db_pass: " vault_db_pass "

Note that we used Jinja2 templating to reference the variable defined in the vault-protected file.

Create Playbook file.

 $ vim vault.yml 
- name: Create users
  hosts: localhost
    - name: Include vars
        dir: vars

    - name: Generate dummy variables data
        path: /tmp/vault
            Database user: " db_user "
            Database Port: " db_port "
            Database Password: " db_pass "

Run playbook:

$ ansible-playbook --connection=local vault.yml --ask-vault-pass

Vault password: 

PLAY [Create users] *******************************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************
ok: [localhost]

TASK [Include vars] *******************************************************************************************************************************
ok: [localhost]

TASK [Generate dummy variables data] **************************************************************************************************************
changed: [localhost]

PLAY RECAP ****************************************************************************************************************************************
localhost                  : ok=3    changed=1    unreachable=0    failed=0

Let’s check the contents of created file.

$ cat /tmp/vault

Database user: "computingforgeeks"
Database Port: "3306"
Database Password: "MyStrongPassword"


In this guide, we demonstrated how you can use Ansible Vault to encrypt sensitive variables and data so you can safely share your projects without compromising security.

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.