Ansible secrets

Ansible-vault?!

Always wondered how to use ansible with sensitive information like secrets,files,variables or configurations? Thats where ansible-vault comes to play, this is a way to encrypt the data with a password.

There are two ways to use ansible-vault, with cli parameters or use a password file. We will explorer both options below.

How to use the CLI parameters

The CLI parameters variant asks for a password that you want to use for en/decrypt or view the encrypted content. I have created a file named in /Users/sebas/Desktop/ansible/supersecret.yml with the following content in it:

Content for the supersecret.yml file

1
2


---
vault_mysql_root_password: "Supersecretshere"

CLI ansible-vault options

There are plenty of options in the ansible-vault CLI tool but we focus on the main options like encryptions, viewing decrypting.

Encrypting the file

Choose a password to use to encrypt the file. WARNING! DO NOT FORGET IT! otherwise the file cant be decrypted.

1
2
3
4


sebas@eyeofmordor ansible % ansible-vault encrypt supersecret.yml
New Vault password: 
Confirm New Vault password: 
Encryption successful

Viewing the encrypted file

The ouput is transformed into a non readable format for us but it is for ansible-vault.

1
2
3
4
5
6
7


sebas@eyeofmordor ansible % cat supersecret.yml
$ANSIBLE_VAULT;1.1;AES256
64353937646132353735643538633165363439383532346666316561333537303432333033623661
3737613233323436616263356638363133313734653462650a316330623931356230326434383930
34353834366436643838306631666366333437303430666333303638323365643435343966386630
3638383866393463340a633337313466646231613862623330346333346363343834383536333935
34633937303066366235336165633362616434613931636666663365313435313862

Viewing the file

Viewing is a options to view the encrypted secret without decrypting the file itself. This uses the password we set earlier when encrypting the file.

1
2
3


sebas@eyeofmordor ansible % ansible-vault view supersecret.yml
Vault password: 
vault_mysql_root_password: Supersecretshere

Decrypting the file

Decrypting is making the file readable way for us and exposable.

1
2
3
4
5
6


sebas@eyeofmordor ansible % ansible-vault decrypt supersecret.yml
Vault password: 
Decryption successful

sebas@eyeofmordor ansible % cat supersecret.yml
vault_mysql_root_password: Supersecretshere

Playbook with cli parameter ask password

To test this, we are creating a new playbook with vi /Users/sebas/Desktop/ansible/my_first_vault_playbook.yml and add the content below in it. Encrypt the supersecret.yml file with a selfchosen password through the way showed above.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


---
- name: playbook   
  hosts: localhost
  vars_files:
    "./supersecret.yml"    

  tasks:                
  - name: Show MySQL root password
    debug:
      msg: "{{ vault_mysql_root_password }}"              

To run the playbook we use the following command ansible-playbook my_first_vault_playbook --ask-vault-password This will ask for the password we used to encrypt the supersecret.yml file.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


sebas@eyeofmordor ansible % ansible-playbook my_first_vault_playbook.yml --ask-vault-password
Vault password: 
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [playbook] *********************************************************************************************************************************************

TASK [Gathering Facts] **************************************************************************************************************************************
ok: [localhost]

TASK [Show MySQL root password] *****************************************************************************************************************************
ok: [localhost] => {
    "msg": "Supersecretshere"
}

PLAY RECAP **************************************************************************************************************************************************
localhost                  : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

How to use ansible-vault with a password file?

To use a ansible-vault with a password file we need two essential files:

ansible configuration file: /Users/sebas/Desktop/ansible/ansible.cfg
password file: /Users/sebas/Desktop/ansible/.vault_pass

Ansible configuration and a password file

We can modify ansible to use certain parameters for the configuration, this will be done through ansible.cfg file. We create this file the ansible folder with touch /Users/sebas/Desktop/ansible/ansible.cfg and touch /Users/sebas/Desktop/ansible/.vault_pass Open the ansible.cfg file and place the following code in it:

1
2


[defaults]
vault_password_file = ./.vault_pass # The name can be different and locations also.

Open the .vault_pass file and add something like this (preferable something strong password):

1

welkom123

The ansible.cfg file works for the specific folder, this means we can add this file to more roles and specify for each its own .vault_pass password.

Using Encrypt, Decrypt again

Because the ansible.cfg, password, supersecret.yml files are in the same folder we can do the same commands again without getting the password prompt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


sebas@eyeofmordor ansible % ansible-vault encrypt supersecret.yml
Encryption successful

sebas@eyeofmordor ansible % cat supersecret.yml
$ANSIBLE_VAULT;1.1;AES256
36623333656433346334396263643435326433373830643931653637336131343033636334313135
3361393833306235336335623638336237373965313939660a326432343536336439633537336236
63336665366261316339376634373231363135633661623436346636653832653230393532383532
6335623333393865310a353162653035643737363962356161306165623433666135626236376436
38636334613764663530633361636561376535363030356339383434356336313762

sebas@eyeofmordor ansible % ansible-vault decrypt supersecret.yml
Decryption successful
sebas@eyeofmordor ansible % cat supersecret.yml
vault_mysql_root_password: Supersecretshere

Password file for playbooks or roles?

We are going to reuse our role we’ve created in part 4. Copy the .vault_pass file into the vars folder and copy the ansible.cfg file into to main role folder.

There is no solution to use the vault straight into the role or playbook with a password file. The only solution is to use a group/vars or host vars folders outside the roles, this is a wider ansible configuration setup

Add the information below to our main.yml file in the vars folder.

This lets us use the information from our vault as a variable inside the role itself.

1
2


sql:
  password: "{{ vault_mysql_root_password }}"

to use our password from our file we need to surround it with "{{ name from vault info }}" Ansible knows this syntax and can be used for other vars aswell. Add following code blocks somewhere in the file 01_hostname.yml.

1
2
3
4
5
6


- name: Include encrypted variables 
  include_vars: vars/supersecret.yml # This will load in the vault file.

- name: show secret
  debug: 
    msg: "{{ sql.password }}"

Lets run our role playbook ansible-playbook ../role_book.yml

1
2
3
4
5
6
7


TASK [machine_info : Show MySQL root password] **************************************************************************************************************
ok: [localhost] => {
    "msg": "Supersecretshere"
}

PLAY RECAP **************************************************************************************************************************************************
localhost                  : ok=11   changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0 

Conclusion

We all use different kind of secrets if its variables, files or other configurations. Using an encryption method like ansible-vault helps automation alot. It is not without faults but is better then exposing our secrets to the world.

Stay tuned for the Part 6: Tesing our Ansible code!