Ansible: How to encrypt some variables in an inventory file in a separate vault file?

by

Since Ansible 2.3 you can encrypt a Single Encrypted Variable.
IMO, a walkthrough is needed as the doco’s seem pretty terse.

Given an example of: mysql_password: password123 (within main.yml)

Run a command such as:

ansible-vault encrypt_string password123 --ask-vault-pass

This will produce:

    !vault |
$ANSIBLE_VAULT;1.1;AES256
66386439653236336462626566653063336164663966303231363934653561363964363833
3136626431626536303530376336343832656537303632313433360a626438346336353331
Encryption successful

paste this into your main.yml:

mysql_password: !vault |
    $ANSIBLE_VAULT;1.1;AES256
    66386439653236336462626566653063336164663966303231363934653561363964363833
    3136626431626536303530376336343832656537303632313433360a626438346336353331

run playbook:

Ie, ansible-playbook -i hosts main.yml --ask-vault-pass

Verify via debug:

- debug:
    msg: "mysql Pwd: {{ mysql_password }}"

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)