Dear Readers,
In this article,we will see How to Use Ansible Vault to Protect Playbooks.
What is Vault in Ansible?
- Ansible Vault is a feature of ansible that allows you to keep sensitive data such as passwords or keys in encrypted files, rather than as plain text in playbooks or roles.
- This provides the ability to secure any secrets or sensitive data that is necessary to run Ansible plays successfully but should not be publicly visible, such as private keys or passwords.
- Ansible automatically decrypts the vault-encrypted content at run time when the key is provided.
- Ansible Vault is implemented with file-level granularity.
- It means files are either entirely encrypted or unencrypted.
- It uses the AES256 algorithm to provide symmetric encryption keyed to a user-supplied password.
- This means the same password is used to encrypt and decrypt the content, which is helpful from a usability standpoint.
- Ansible can identify and decrypt any vault-encrypted files it finds while executing a task or playbook.
Steps to Follow
- Create a new Encrypted playbook “kt-vault.yml”.
- Edit the Encrypted playbook “kt-vault.yml”.
- Change the Vault password for the encrypted playbook “kt-vault.yml”.
- Decrypt the playbook “kt-vault.yml”.
- Encrypt Existing Playbook “kt-target.yml”.
- Decrypt the playbook “kt-target.yml”.
- Running a playbook “kt-tasks.yml” with Vault.
1. Create a new Encrypted playbook “kt-vault.yml”
To create a new playbook encrypted with Vault, use the ansible-vault create command and pass the playbook name.
You will be prompted to enter and confirm a password.
When you have confirmed your password, Ansible will immediately open an editing window where you can write code the save and exit.
|
1 2 3 4 5 6 7 8 9 10 11 |
[kt-ansible@ip-172-31-15-116 ~]$ ansible-vault create kt-vault.yml New Vault password: Confirm New Vault password: --- # My tasks YAML playbook (Target and Tasks) - hosts: Ktexperts-Group user: kt-ansible become: yes connection: ssh tasks: - name: Install HTTPD on Amazon Linux action: yum name=httpd state=installed |
Note
:wq! —– to quit.
The cookbook has been encrypted succussfully.
Test the Encrypted Playbook “kt-vault.yml”
I am trying to open Encrypted playbook “kt-vault.yml” by using cat command.
We are unable to see the content of playbook “kt-vault.yml” because Ansible will encrypt the content.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[kt-ansible@ip-172-31-15-116 ~]$ cat kt-vault.yml $ANSIBLE_VAULT;1.1;AES256 30633963343837323865376566323164336437636633666237386662383563313062363936623136 6331356333333661366439396437383466613761626263650a663632623436616536666531313537 30613130333933623563356539616664323166373632663130303165303066313761616631373436 3735346434346538300a633962636366303839373638633734333666643162393730616561333965 30363137373531646530363835646563366136363632633736343562613837346330633263353938 65393638623633616132376562346164376536313362356662306239376434316264636636323562 38313065623533643934636333663837663061313734643035303966633436373739643535333165 63633161306164313236363235313964316338316366396136376239396263666635306465366561 37353066336537623862363265356535356337376231653363633863356266623563306464353164 36376534616666303261616165313032326330373430656463663933656231313033383438663538 36656539363031626336373665633031643965343439643161663966613337633566353165386337 63613032633230353437626437643430643364353135363138663735656164623962666164333632 36313066346262323630306164383833316239633930393034356334623937396132376438626163 39643433373562643331623363363035353533343663393766663266336666323761396439656462 353731613964396632333331363535316337 |
Note
we unable to edit/modify the playbook, because we have encrypted the playbook recently.
If you want to edit/modify the playbook, you should use below command and provide the password for that playbook.
2. Edit the Encrypted playbook “kt-vault.yml”
When you need to edit an encrypted file, use the ansible-vault edit command.
You’ll be prompted to insert the vault password.
The file(decrypted version) will open in a vi editor and then you can make the required changes.
|
1 2 3 4 5 6 7 8 9 10 |
[kt-ansible@ip-172-31-15-116 ~]$ ansible-vault edit kt-vault.yml Vault password: --- # My tasks YAML playbook (Target and Tasks) - hosts: Ktexperts-Group user: kt-ansible become: yes connection: ssh tasks: - name: Install HTTPD on Amazon Linux action: yum name=httpd state=insta |
Note
:wq! —– to quit.
If you check the output, you’ll see your text will be encrypted automatically when you save and close
Test the Encrypted Playbook “kt-vault.yml”
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[kt-ansible@ip-172-31-15-116 ~]$ cat kt-vault.yml $ANSIBLE_VAULT;1.1;AES256 30633963343837323865376566323164336437636633666237386662383563313062363936623136 6331356333333661366439396437383466613761626263650a663632623436616536666531313537 30613130333933623563356539616664323166373632663130303165303066313761616631373436 3735346434346538300a633962636366303839373638633734333666643162393730616561333965 30363137373531646530363835646563366136363632633736343562613837346330633263353938 65393638623633616132376562346164376536313362356662306239376434316264636636323562 38313065623533643934636333663837663061313734643035303966633436373739643535333165 63633161306164313236363235313964316338316366396136376239396263666635306465366561 37353066336537623862363265356535356337376231653363633863356266623563306464353164 36376534616666303261616165313032326330373430656463663933656231313033383438663538 36656539363031626336373665633031643965343439643161663966613337633566353165386337 63613032633230353437626437643430643364353135363138663735656164623962666164333632 36313066346262323630306164383833316239633930393034356334623937396132376438626163 39643433373562643331623363363035353533343663393766663266336666323761396439656462 353731613964396632333331363535316337 |
Viewing Encrypted Playbook “kt-vault.yml”
If you wish to just view an encrypted file, you can use the ansible-vault view command.
Again you’ll be prompted for a password.
|
1 2 3 4 5 6 7 8 9 10 |
[kt-ansible@ip-172-31-15-116 ~]$ ansible-vault view kt-vault.yml Vault password: --- # My tasks YAML playbook (Target and Tasks) - hosts: Ktexperts-Group user: kt-ansible become: yes connection: ssh tasks: - name: Install HTTPD on Amazon Linux action: yum name=httpd state=installed |
3. Change the Vault password for the encrypted playbook “kt-vault.yml”
Using ansible-vault rekey to change the vault password.
You’ll be prompted with the vault’s current password and then the new password and finally done by confirming the new password.
|
1 2 3 4 5 |
[kt-ansible@ip-172-31-15-116 ~]$ ansible-vault rekey kt-vault.yml Vault password: New Vault password: Confirm New Vault password: Rekey successful |
4. Decrypt the playbook “kt-vault.yml”
To decrypt a vault encrypted file, use the ansible-vault decrypt command.
You will be prompted for the encryption password for the file. Once you enter the correct password, the file will be decrypted:
|
1 2 3 |
[kt-ansible@ip-172-31-15-116 ~]$ ansible-vault decrypt kt-vault.yml Vault password: Decryption successful |
Test the Decrypted Playbook “kt-vault.yml”
Using cat command to see the content of the Decrypted playbook “kt-vault.yml”
|
1 2 3 4 5 6 7 8 9 |
[kt-ansible@ip-172-31-15-116 ~]$ cat kt-vault.yml --- # My tasks YAML playbook (Target and Tasks) - hosts: Ktexperts-Group user: kt-ansible become: yes connection: ssh tasks: - name: Install HTTPD on Amazon Linux action: yum name=httpd state=installed |
5. Encrypt Existing Playbook “kt-target.yml”
Using ansible-vault encrypt to encrypt the existing playbook.
Again, you will be prompted to provide and confirm a password. Afterwards, a message will confirm the encryption.
|
1 2 3 4 |
[kt-ansible@ip-172-31-15-116 ~]$ ansible-vault encrypt kt-target.yml New Vault password: Confirm New Vault password: Encryption successful |
Test the Encrypted Playbook “kt-target.yml”
Using cat command to see the content of the encrypted playbook.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
[kt-ansible@ip-172-31-15-116 ~]$ cat kt-target.yml $ANSIBLE_VAULT;1.1;AES256 61346361323837633037653139623263326531376535663364616336646634326636336261383739 6132663566323061666537326364366432383166396263390a626464666165376235376430653266 36653630313263326161393232386235663737373232616663336261313134333264623662623232 3337653461303238630a663035333433333066313563313737633938333435626430613331396538 30333031376531346534306364663137373664333237376631346237623934303037353663366664 37613231343261613832383063663538303037653334343932663036353334363364636134353263 38323033646164303063646466656137306432316238386263306336396363363034326638656535 65626639656430633161636465376463663865383465356536396638383164646264633935616365 30346464383332653638666566623338336561323032633434383338373066306163613066653430 35313435613231353337343439313965666234373635393535333836356639633164366431386164 38613466386339663035663737356633353064616433666630613663623839323464383231643465 35376434353233323665666333323932653237633533396337333330643032313538633438343033 62346336396534383066356435383438386461346436643736663766313464636337663863303663 3764343036663239373335393939663931656432633864333337 |
Viewing Encrypted Playbook “kt-target.yml”
If you wish to just view an encrypted file, you can use the ansible-vault view command.
Again you’ll be prompted for a password.
|
1 2 3 4 5 6 7 8 |
[kt-ansible@ip-172-31-15-116 ~]$ ansible-vault view kt-target.yml Vault password: --- # My First YAML playbook - hosts: Ktexperts-Group user: kt-ansible become: yes # yes or no connection: ssh # ssh or paramico gather_facts: yes # yes or no |
6. Decrypt the playbook “kt-target.yml”
To decrypt a vault encrypted file, use the ansible-vault decrypt command.
You will be prompted for the encryption password for the file. Once you enter the correct password, the file will be decrypted.
|
1 2 3 |
[kt-ansible@ip-172-31-15-116 ~]$ ansible-vault decrypt kt-target.yml Vault password: Decryption successful |
Test the Decrypted Playbook “kt-target.yml”
Using cat command to see the content of the Decrypted playbook “kt-vault.yml”
|
1 2 3 4 5 6 7 8 |
[kt-ansible@ip-172-31-15-116 ~]$ cat kt-target.yml --- # My First YAML playbook - hosts: Ktexperts-Group user: kt-ansible become: yes # yes or no connection: ssh # ssh or paramico gather_facts: yes # yes or no |
7. Running a playbook “kt-tasks.yml” with Vault
Using below command to running a playbook with the vault.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
[kt-ansible@ip-172-31-15-116 ~]$ ansible-playbook kt-target.yml --ask-vault-pass Vault password: PLAY [Ktexperts-Group] ****************************************************************************************************************** TASK [Gathering Facts] ****************************************************************************************************************** ok: [172.31.11.251] ok: [172.31.2.38] PLAY RECAP ****************************************************************************************************************************** 172.31.11.251 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 172.31.2.38 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 |
Thank you for giving your valuable time to read the above information. Please click here to subscribe for further updates
KTEXPERTS is always active on below social media platforms.
Facebook : https://www.facebook.com/ktexperts/
LinkedIn : https://www.linkedin.com/company/ktexperts/
Twitter : https://twitter.com/ktexpertsadmin
YouTube : https://www.youtube.com/c/ktexperts
Instagram : https://www.instagram.com/knowledgesharingplatform
Loading...
