Ansible Vault
Ansible Vault encrypts sensitive
variables (passwords, license keys, etc.) so they can be safely committed to the repository. This
project keeps its encrypted secrets in group_vars/all/vault.yml, where they are loaded
automatically for every host.
Define secrets as lowercase Ansible variables in the vault (e.g. server_admin_password,
microsoft_sql_sa_password). These take precedence over the equivalent uppercase environment
variables (e.g. SERVER_ADMIN_PASSWORD). Use a secure
password generator to create strong passwords.
Create
Create the vault file with the secrets you want to encrypt:
cat <<EOF > group_vars/all/vault.yml
server_admin_user: Administrator
server_admin_password: USE_PASSWORD_GENERATOR
microsoft_sql_sa_password: USE_PASSWORD_GENERATOR
microsoft_sql_spadmin_password: USE_PASSWORD_GENERATOR
microsoft_sql_spuser_password: USE_PASSWORD_GENERATOR
EOF
Encrypt
Encrypt the file in place. You will be prompted for a vault password:
An encrypted file begins with a header like $ANSIBLE_VAULT;1.1;AES256 and is safe to commit.
Edit
Edit an encrypted file without manually decrypting it. The file is decrypted into your editor and re-encrypted on save:
View
Print the decrypted contents to the terminal without opening an editor:
Rekey
Change the password protecting the file:
Encrypt a Single String
To store an encrypted value inline (e.g. directly in host_vars) rather than encrypting an entire
file:
Paste the resulting !vault block into the relevant YAML file.
Password File
Rather than entering the vault password interactively each run, store it in a file. This file is
already listed in .gitignore and must never be committed:
Point ansible.cfg at the password file so it is used automatically:
Running Playbooks
With vault_password_file configured in ansible.cfg, playbooks run without any extra flags. If you
have not configured a password file, supply the password at run time instead:
Protect the vault password
Never commit ansible_vault.txt or the unencrypted vault.yml. Store the vault password in a
secrets manager (e.g. 1Password) and rotate it with ansible-vault rekey if it is exposed.