ansible-vault – Tarik Billa

How to store ansible_become_pass in a vault and how to use it?

December 12, 2023 by Tarik

You need to create some vaulted variable files and then either include them in your playbooks or on the command line. If you change your inventory file to use a variable for the become pass this variable can be vaulted: [my-servers] san-francisco ansible_host=san-francisco ansible_ssh_user=user ansible_become_pass=”{{ sanfrancisco_become_pass }}” san-diego ansible_host=san-diego ansible_ssh_user=user ansible_become_pass=”{{ sandiego_become_pass }}” Then use … Read more

How to diff ansible vault changes?

June 11, 2023 by Tarik

You can do this very neatly, so that the normal git tools like git log and git diff can see inside the vaulted files, using a custom git diff driver and .gitattributes. Make sure that your vault password is in .vault_password and that that file is not committed – you should also add it to … Read more

Ansible: How to encrypt some variables in an inventory file in a separate vault file?

February 11, 2023 by Tarik

Since Ansible 2.3 you can encrypt a Single Encrypted Variable. IMO, a walkthrough is needed as the doco’s seem pretty terse. Given an example of: mysql_password: password123 (within main.yml) Run a command such as: ansible-vault encrypt_string password123 –ask-vault-pass This will produce: !vault | $ANSIBLE_VAULT;1.1;AES256 66386439653236336462626566653063336164663966303231363934653561363964363833 3136626431626536303530376336343832656537303632313433360a626438346336353331 Encryption successful paste this into your main.yml: mysql_password: !vault … Read more

How to decrypt string with ansible-vault 2.3.0

February 1, 2023 by Tarik

You can also do with plain ansible command for respective host/group/inventory combination, e.g.: $ ansible my_server -m debug -a ‘var=my_secret’ my_server | SUCCESS => { “my_secret”: “373861663362363036363361663037373661353137303762” }