Conventions: Commands executed in bash and the outputs are shown in bold. Some commands' execution are shown as screenshots to avoid possible truncations and formatting issues.
Ansible Vault IDs
Starting with Ansible 2.4 and above, vault ids are supported.
Vault IDs help in encrypting different files with different passwords to be referenced inside a playbook. Prior to Ansible 2.4, only one vault password could be used in each Ansible run, forcing to encrypt
all files using the same vault password.
NOTE: You can't encryt the same file / string using two different passphrase. Vault IDs help in using different passphrases for different files, rather than using the same passphrase which was the case prior to Ansibe 2.4
First and foremost, Vault IDs need to be pre-created and referenced (best practice) inside your ansible.cfg file
The below excerpt is from 'ansible-config list' for DEFAULT_VAULT_IDENTITY_LIST
DEFAULT_VAULT_IDENTITY_LIST:
default: []
description: A list of vault-ids to use by default. Equivalent to multiple --vault-id
args. Vault-ids are tried in order.
env:
- {name: ANSIBLE_VAULT_IDENTITY_LIST}
ini:
- {key: vault_identity_list, section: defaults}
name: Default vault ids
type: list
yaml: {key: defaults.vault_identity_list}
You can reference multiple vault ids and the corresponding vault files (which has your passphrase) in ansible.cfg using the vault_identity_list key under defaults section, as seen from the output above.
My ansible.cfg has the below configuration.
[sanujan@fedora ansible]$ cat ansible.cfg
[defaults]
inventory = inventory
remote_user = root
vault_identity_list = inline@~/ansible/.inline_pass , files@~/ansible/.files_pass
I've pre-created two vault password file with appropriate permissions under my $HOME/ansible directory.
vault_identity_list = inline@~/ansible/.inline_pass , files@~/ansible/.files_pass
maps vault-id inline to /home/sanujan/ansible/.inline_pass
and vauld-id files to /home/sanujan/ansible/.files_pass
The contents of those password files are shown below.
[sanujan@fedora ansible]$ cat ~/ansible/.files_pass
REDHAT
[sanujan@fedora ansible]$ cat ~/ansible/.inline_pass
redhat
[sanujan@fedora ansible]$ ls -l ~/ansible/.files_pass ~/ansible/.inline_pass
-r--------. 1 sanujan sanujan 7 Sep 23 06:25 /home/sanujan/ansible/.files_pass
-r--------. 1 sanujan sanujan 7 Sep 23 06:25 /home/sanujan/ansible/.inline_pass
I've a sample playbook being created which has an encrypted text and a reference to an encrypted vars file (vars/vars.yml)
How the string and vars file are encrypted is detailed below.
Encrypting a file to be included/referenced inside the playbook
[sanujan@fedora ansible]$ ansible-vault encrypt --encrypt-vault-id files vars/vars.yml
--encrypt-vault-id files : This is how we reference the vault id 'files' to be used for encrypting the file vars/vars.yml in the playbook directory.
The above command doesn't prompt us for a password as it references the id 'files' from ansible.cfg which maps to ~/ansible/.files_pass, where in we've the passphrase 'REDHAT' hardcoded.
In the vars/vars.yml file, a variable is initialized with the key 'course' and value 'DO457'.
To view the encrypted file, you can use 'view' option with ansible-vault. Here the passphrase is automatically taken by ansible, as its referenced inside ansible.cfg
[sanujan@fedora ansible]$ ansible-vault view vars/vars.yml
course: DO457
Encryping a string to be used inside a playbook
[sanujan@fedora ansible]$ ansible-vault encrypt_string --encrypt-vault-id inline -n testing this-is-the-secret
--encrypt-vault-id inline : This is how we reference the vault id 'inline' to be used for encrypting the string 'this-is-the-secret'.
-n testing : testing is the name of the variable which holds the value 'this-is-the-secret' (without quotes)
The above command doesn't prompt us for a password as it references the id 'inline' from ansible.cfg which maps to ~/ansible/.inline_pass, where in we've the passphrase 'redhat' hardcoded.
The screenshot of the above command output is given below, to avoid any possible issues with YAML formating.
As you can see, the output starts with the variable name 'testing', followed by '!vault |' indicating its vault encrypted.
1.2 - the vault version which supports vault id.
AES256 - AES cipher in 256bits.
inline - vault id in use.
NOTE: the vault id is visible in the header.
Now you can copy paste the contents including the variable name, here 'testing', all the way down to line before 'Encryption Successful'
Executing the playbook
[sanujan@fedora ansible]$ ansible-playbook vault_encryption.yml
Prompting the vault password during playbook execution
If vault_identity_list key is referenced in ansible.cfg, ansible will always read those password files in the order (from left to right), to check for possible passphrase matches (even disregarding the vault ids before ~ character
If you want to be prompted for password to decrypt the vault string/file, then comment out vault_identity_list key in ansible.cfg and execute the playbook with --vault-id id@prompt . For eg
[sanujan@fedora ansible]$ ansible-playbook --vault-id inline@prompt --vault-id files@prompt vault_encryption.yml
As you can see, it prompts twice, once for entering the passphrase for vault id 'inline' and second for 'files'.
Vault IDs in Tower
Ansible Tower also supports vault ids starting with Tower 3.3. You can reference the vault ids while creating a credential of type 'Vault'.
Hope you found this useful.
Credits: This entire discussion has been shamelessly adapted from the below referenced blogs and ansible documentation at http://docs.ansible.com
1. https://dev.iachieved.it/iachievedit/ansible-vault-ids/
2. http://www.bloggingforlogging.com/2018/05/20/decrypting-the-secrets-of-ansible-vault-in-powershell/
3. https://docs.ansible.com/ansible/2.6/user_guide/vault.html
The best to the point use case I have read about the subject.
Red Hat
Learning Community
A collaborative learning environment, enabling open source skill development.