Nov 18, 2021

Ansible Vault - Security in Ansible

 When you are using Ansible, you may be required to key in some confidential or secret information in playbooks. This includes SSH private and public keys, passwords, and SSL certificates to mention just a few. As we already know, its bad practice to save this sensitive information in plain text for obvious reasons. This information requires to be kept under lock and key because we can only imagine what would happen if hackers or unauthorized users got a hold of it.

Ansible provides us with a handy feature known as Ansible Vault. As the name suggests, the Ansible Vault helps secure vital secret information as we have discussed earlier. Ansible Vault can encrypt variables, or even entire files and YAML playbooks as we shall later demonstrate. It’s a very handy and user-friendly tool that requires the same password when encrypting and decrypting files.


Here are few examples:

Encrypt a file/ playbook:

# ansible-vault encrypt demo.yml

New Vault password:

Confirm New Vault password:

Encryption successful

# cat demo.yml

$ANSIBLE_VAULT;1.1;AES256

63643961663965663630373861323966383565346165663231336562666338393363346162386238

3132343739396130643463333337386435663133316132640a313638373838616437663933633834

35626337373262383236646136616536616334346364393466616131306333353065386133666136

3532653438336364660a646262633233653364313965613562326136356366393564356364643536

62623034633565326535633365366362646339303766326536303431363031303235346137393233

33386334623163363032653237636363616161376635616666303136623461343134613034316365

62383464396461383937373332633462363838663764363337653265623738613035393735346634

32396265623932313530303332663937353931343036346532343266303364666566303739626534

34663839666665393363646139343931343930333430663039633934626330313830356432383861

3566343934366633353836383330303662306132623133663465

#


Decrypt the encrypted ansible file/playbook:

# ansible-vault decrypt demo.yml

Vault password:

Decryption successful


Edit an Encrypted File in Ansible:

#  ansible-vault edit demo.yml

Change Ansible Vault Password:


Reset key on Encrypted File in Ansible:

#  ansible-vault rekey demo.yml

Vault password:

New Vault password:

Confirm New Vault password:

Rekey successful


Decrypt a playbook file during Runtime:

# ansible-playbook demo.yml --ask-vault-pass

Vault password:

PLAY [all] ***********************************************************************************

TASK [Gathering Facts] ***********************************************************************************

ok: [192.168.100.2]

ok: [192.168.100.1]

TASK [Date and Time example] ***********************************************************************************

ok: [192.168.100.1] => {

    "ansible_date_time.date": "2021-11-18"

}

ok: [192.168.100.2] => {

    "ansible_date_time.date": "2021-11-18"

}

PLAY RECAP ***********************************************************************************

192.168.100.1             : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

192.168.100.2             : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0



No comments:

Post a Comment

Translate >>