When you are using Ansible, you may be required to key in some confidential or secret information in playbooks. This includes SSH private and public keys, passwords, and SSL certificates to mention just a few. As we already know, its bad practice to save this sensitive information in plain text for obvious reasons. This information requires to be kept under lock and key because we can only imagine what would happen if hackers or unauthorized users got a hold of it.
Ansible provides us with a handy feature known as Ansible Vault. As the name suggests, the Ansible Vault helps secure vital secret information as we have discussed earlier. Ansible Vault can encrypt variables, or even entire files and YAML playbooks as we shall later demonstrate. It’s a very handy and user-friendly tool that requires the same password when encrypting and decrypting files.
Encrypt a file/ playbook:
# ansible-vault encrypt demo.yml
New Vault password:
Confirm New Vault password:
Encryption successful
# cat demo.yml
$ANSIBLE_VAULT;1.1;AES256
63643961663965663630373861323966383565346165663231336562666338393363346162386238
3132343739396130643463333337386435663133316132640a313638373838616437663933633834
35626337373262383236646136616536616334346364393466616131306333353065386133666136
3532653438336364660a646262633233653364313965613562326136356366393564356364643536
62623034633565326535633365366362646339303766326536303431363031303235346137393233
33386334623163363032653237636363616161376635616666303136623461343134613034316365
62383464396461383937373332633462363838663764363337653265623738613035393735346634
32396265623932313530303332663937353931343036346532343266303364666566303739626534
34663839666665393363646139343931343930333430663039633934626330313830356432383861
3566343934366633353836383330303662306132623133663465
#
Decrypt the encrypted ansible file/playbook:
# ansible-vault decrypt demo.yml
Vault password:
Decryption successful
Edit an Encrypted File in Ansible:
# ansible-vault edit demo.yml
Change Ansible Vault Password:
Reset key on Encrypted File in Ansible:
# ansible-vault rekey demo.yml
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful
Decrypt a playbook file during Runtime:
# ansible-playbook demo.yml --ask-vault-pass
Vault password:
PLAY [all] ***********************************************************************************
TASK [Gathering Facts] ***********************************************************************************
ok: [192.168.100.2]
ok: [192.168.100.1]
TASK [Date and Time example] ***********************************************************************************
ok: [192.168.100.1] => {
"ansible_date_time.date": "2021-11-18"
}
ok: [192.168.100.2] => {
"ansible_date_time.date": "2021-11-18"
}
PLAY RECAP ***********************************************************************************
192.168.100.1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
192.168.100.2 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
No comments:
Post a Comment