Ansible Vault Tutorial
In this tutorial, I try to explain how to structure one Ansible environment with:
- Ansible Vault support
- master key is stored in secret file encrypted with GPG
- Many users support: master key can is encrypted with several GPG Keys
Prerequisite
$ brew install ansible gnupg
Optional, for test only:
- Virtualbox and vagrant
$ brew install python3
$ brew cask install vagrant virtualbox
$ pip3 install paramiko
Create or edit secret file
If secret file not exist:
$ ansible-vault create hosts/group_vars/all/secrets.yml
or edit this file:
$ ansible-vault edit hosts/group_vars/all/secrets.yml
Show secret content:
$ ansible-vault view hosts/group_vars/all/secrets.yml
my_secret: password
Execute demo
Start vagrant server
$ vagrant up
Test if vagrant ping:
$ ansible -m ping all ✘ 2 master ◼
server | SUCCESS => {
"changed": false,
"ping": "pong"
}
Execute test playbook which use Ansible Vault
ansible-playbook playbooks/demo.yml
PLAY [server] ******************************************************************
TASK [Gathering Facts] *********************************************************
ok: [server]
TASK [demo : Upload template file to /home/ubuntu/test1.txt] *******************
ok: [server]
PLAY RECAP ********************************************************************
server : ok=2 changed=0 unreachable=0 failed=0
Check secret content in test1.txt file:
$ vagrant ssh -c "cat test1.txt"
variable: password
How Ansible Vault password is configured
Master key is stored in secrets/ansible-vault-password.txt.gpg file. Read secrets/README.md to know how to generate this file.
Default Vault password file is configured like this in ansible.cfg
vault_password_file = secrets/ansible-vault.sh
The secrets/ansible-vault.sh file is a script which use gpg to decrypt master key:
#!/bin/bash
gpg --decrypt --quiet --batch secrets/ansible-vault-password.txt.gpg