Ansible secrets =============== Published : 11 February 2025 Reading : 5 min Tags : Ansible URL : https://ctrl-find.nl/posts/ansible_secrets/ Plain text : https://ctrl-find.nl/posts/ansible_secrets/index.txt ------------------------------------------------------------ ## Ansible-vault?! Always wondered how to use ansible with sensitive information like secrets,files,variables or configurations? Thats where ansible-vault comes to play, this is a way to encrypt the data with a password. There are two ways to use ansible-vault, with cli parameters or use a password file. We will explorer both options below. ## How to use the CLI parameters The CLI parameters variant asks for a password that you want to use for en/decrypt or view the encrypted content. I have created a file named in /Users/sebas/Desktop/ansible/supersecret.yml with the following content in it: Content for the supersecret.yml file ```bash --- vault_mysql_root_password: "Supersecretshere" ``` ## CLI ansible-vault options There are plenty of options in the ansible-vault CLI tool but we focus on the main options like encryptions, viewing decrypting. ### Encrypting the file Choose a password to use to encrypt the file. **WARNING! DO NOT FORGET IT!** otherwise the file cant be decrypted. ```bash sebas@eyeofmordor ansible % ansible-vault encrypt supersecret.yml New Vault password: Confirm New Vault password: Encryption successful ``` ### Viewing the encrypted file The ouput is transformed into a non readable format for us but it is for ansible-vault. ```bash sebas@eyeofmordor ansible % cat supersecret.yml $ANSIBLE_VAULT;1.1;AES256 64353937646132353735643538633165363439383532346666316561333537303432333033623661 3737613233323436616263356638363133313734653462650a316330623931356230326434383930 34353834366436643838306631666366333437303430666333303638323365643435343966386630 3638383866393463340a633337313466646231613862623330346333346363343834383536333935 34633937303066366235336165633362616434613931636666663365313435313862 ``` ### Viewing the file Viewing is a options to view the encrypted secret without decrypting the file itself. This uses the password we set earlier when encrypting the file. ```bash sebas@eyeofmordor ansible % ansible-vault view supersecret.yml Vault password: vault_mysql_root_password: Supersecretshere ``` ### Decrypting the file Decrypting is making the file readable way for us and exposable. ```bash sebas@eyeofmordor ansible % ansible-vault decrypt supersecret.yml Vault password: Decryption successful sebas@eyeofmordor ansible % cat supersecret.yml vault_mysql_root_password: Supersecretshere ``` ## Playbook with cli parameter ask password To test this, we are creating a new playbook with vi `/Users/sebas/Desktop/ansible/my_first_vault_playbook.yml` and add the content below in it. Encrypt the supersecret.yml file with a selfchosen password through the way showed above. ```bash --- - name: playbook hosts: localhost vars_files: "./supersecret.yml" tasks: - name: Show MySQL root password debug: msg: "{{ vault_mysql_root_password }}" ``` To run the playbook we use the following command `ansible-playbook my_first_vault_playbook --ask-vault-password` This will ask for the password we used to encrypt the supersecret.yml file. ```bash sebas@eyeofmordor ansible % ansible-playbook my_first_vault_playbook.yml --ask-vault-password Vault password: [WARNING]: No inventory was parsed, only implicit localhost is available [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all' PLAY [playbook] ********************************************************************************************************************************************* TASK [Gathering Facts] ************************************************************************************************************************************** ok: [localhost] TASK [Show MySQL root password] ***************************************************************************************************************************** ok: [localhost] => { "msg": "Supersecretshere" } PLAY RECAP ************************************************************************************************************************************************** localhost : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 ``` ## How to use ansible-vault with a password file? To use a ansible-vault with a password file we need two essential files: - ansible configuration file: /Users/sebas/Desktop/ansible/ansible.cfg - password file: /Users/sebas/Desktop/ansible/.vault_pass ### Ansible configuration and a password file We can modify ansible to use certain parameters for the configuration, this will be done through ansible.cfg file. We create this file the ansible folder with touch `/Users/sebas/Desktop/ansible/ansible.cfg` and touch `/Users/sebas/Desktop/ansible/.vault_pass` Open the ansible.cfg file and place the following code in it: ```bash [defaults] vault_password_file = ./.vault_pass # The name can be different and locations also. ``` Open the .vault_pass file and add something like this (preferable something strong password): ```bash welkom123 ``` The ansible.cfg file works for the specific folder, this means we can add this file to more roles and specify for each its own .vault_pass password. ### Using Encrypt, Decrypt again Because the ansible.cfg, password, supersecret.yml files are in the same folder we can do the same commands again without getting the password prompt. ```bash sebas@eyeofmordor ansible % ansible-vault encrypt supersecret.yml Encryption successful sebas@eyeofmordor ansible % cat supersecret.yml $ANSIBLE_VAULT;1.1;AES256 36623333656433346334396263643435326433373830643931653637336131343033636334313135 3361393833306235336335623638336237373965313939660a326432343536336439633537336236 63336665366261316339376634373231363135633661623436346636653832653230393532383532 6335623333393865310a353162653035643737363962356161306165623433666135626236376436 38636334613764663530633361636561376535363030356339383434356336313762 sebas@eyeofmordor ansible % ansible-vault decrypt supersecret.yml Decryption successful sebas@eyeofmordor ansible % cat supersecret.yml vault_mysql_root_password: Supersecretshere ``` ## Password file for playbooks or roles? We are going to reuse our role we've created in part 4. Copy the .vault_pass file into the vars folder and copy the ansible.cfg file into to main role folder. There is no solution to use the vault straight into the role or playbook with a password file. The only solution is to use a group/vars or host vars folders outside the roles, this is a wider ansible configuration setup Add the information below to our main.yml file in the vars folder. This lets us use the information from our vault as a variable inside the role itself. ```bash sql: password: "{{ vault_mysql_root_password }}" ``` to use our password from our file we need to surround it with `"{{ name from vault info }}"` Ansible knows this syntax and can be used for other vars aswell. Add following code blocks somewhere in the file 01_hostname.yml. ```bash - name: Include encrypted variables include_vars: vars/supersecret.yml # This will load in the vault file. - name: show secret debug: msg: "{{ sql.password }}" ``` Lets run our role playbook `ansible-playbook ../role_book.yml` ```bash TASK [machine_info : Show MySQL root password] ************************************************************************************************************** ok: [localhost] => { "msg": "Supersecretshere" } PLAY RECAP ************************************************************************************************************************************************** localhost : ok=11 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 ``` ## Conclusion We all use different kind of secrets if its variables, files or other configurations. Using an encryption method like ansible-vault helps automation alot. It is not without faults but is better then exposing our secrets to the world. Stay tuned for the **Part 6: Tesing our Ansible code**! ------------------------------------------------------------ NAVIGATION [index] https://ctrl-find.nl/posts/index.txt [<< prev] Creating Ansible Roles https://ctrl-find.nl/posts/ansible_roles/index.txt [next >>] Testing Ansible code https://ctrl-find.nl/posts/ansible_testing/index.txt ------------------------------------------------------------ CTRL-Find — Debugging all systems https://ctrl-find.nl/