Keeping secrets with Ansible Vault

In the last few posts, I’ve talked about using Ansible for configuring servers and local environments, during both of which, you’re likely to have some sensitive or secret values. These could be database credentials within your application and on your server, and your SSH private keys within your local environment.

Rather than committing these to a code repository in plain text, Ansible includes the ansible-vault command to encrypt values.

To see this working, run ansible-vault encrypt_string my-secret-password, enter a password, and then you should see something like this:

!vault |
  $ANSIBLE_VAULT;1.1;AES256
  33353031663366313132333831343930643830346531666564363562666136383838343235646661
  6336326637333230396133393936646636346230623932650a333035303265383437633032326566
  38616262653933353033376161633961323666366132633033633933653763373539613434333039
  6132623630643261300a346438636332613963623231623161626133393464643634663735303664
  66306433633363643561316362663464646139626533323363663337363361633333

This is the encrypted version of that password, and this could be committed and pushed to a code repository.

You can use it within a playbook, and you’ll be prompted to re-enter the password so that Ansible can decrypt and use it.

Rather than a single string, you could have a file of variables that you want to encrypt. You can do this by running ansible-vault encrypt vault.yml and include it as before. Again, you’ll be prompted by Ansible so that it can decrypt and use the values.

For an example of how I’m using Ansible Vault, see the Dransible repository on GitHub or my Deploying PHP applications with Ansible, Ansible Vault and Ansistrano talk.


Want to learn more about how I use Ansible? Register for my upcoming free email course.