1

I'm trying to use encryption for my sensitive information like e.g passwords etc.

The question is: How to use ansible-vault to encrypt variables and use them in playbooks?

I know how to encrypt a string (shown below), but I don't know how I can successfully use it in a playbook.
The reason is: I need something to "decrypt" the variable so ansible can understand. Where are these defined?

I have tried: 

ansible-vault encrypt_string -- 'db_password'

Where I'm prompted with: 

New Vault password: 
Confirm New Vault password:

Result:

!vault |
          $ANSIBLE_VAULT;1.1;AES256
          63653238643164303561353238643934343861356332323038386236633963326232393830363961
          6366336230666134383864306136623030643339353166620a633030646334393563633662653736
          35646530383762363262333038376339396432373030363536373232393032316364636565663833
          6430316563653265660a366537373637346338383165653531646462313762663035343734316134
          3736
Encryption successful

Defining vault variable vault_db_password

vault_db_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          34353733663863636564363261373962616630333032326363633661326363643533326239363165
          3531393735333535383063373661336333356164653863630a356139333131323935306265623735
          35633665633739656337336562306638646339656235313063643363636433653765633830663330
          6136653534383461370a363839313065343731613035383731363337373866613534326261333531
          3362

Vault variable being used:

MYSQL_ROOT_PASSWORD: "{{ vault_db_password }}"

Result: 

 FAILED! => {"msg": "Attempting to decrypt but no vault secrets found"}
Heihade1
  • 79
  • 3
  • 8

1 Answers1

3

you need to create a --vault-password-file file first, then use that to the ansible-vault command and finally include it in the ansible-playbook command.

to create the password file and then a ansible vault, check here:

https://stackoverflow.com/a/49744154/5736671

to run the playbook with the password key file, you can run:

ansible-playbook -i hosts <hosts file> --vault-password-file=<vault password file>
ilias-sp
  • 6,135
  • 4
  • 28
  • 41
  • Is there not a more elegant way? Does the `--vault-password-file` apply to every variable, or do I have to make one for each variable? – Heihade1 Mar 30 '19 at 16:02
  • you should use the same `password-file` for all the files you encrypt in the same project, since you can pass only 1 `password-file` in the `ansible-playbook` command. – ilias-sp Mar 30 '19 at 18:33
  • 1
    `export ANSIBLE_VAULT_PASSWORD_FILE=/your/file` then you can launch ansible playbook without the vault param. Put that in your .bashrc and you're done. You can also tell ansible to ask the passwork interactivelly with `--ask-vault-pass`. See [vaults in playbooks](https://docs.ansible.com/ansible/latest/user_guide/playbooks_vault.html) – Zeitounator Mar 30 '19 at 20:33
  • thanks @Zeitounator, various ways to include the vault password file i guess, i just stated mine – ilias-sp Mar 30 '19 at 20:57
  • 1
    By the way, it is possible to pass several passwords to a playbook since ansible 2.4: https://docs.ansible.com/ansible/latest/user_guide/vault.html#vault-ids-and-multiple-vault-passwords. A possible usage scenario: encrypt all your general purpose secrets with a shared password, test environment secrets with a password for development team and produciton envrionment secrets with a password for ops. – Zeitounator Mar 30 '19 at 21:48
  • The `export ANSIBLE_VAULT_PASSWORD_FILE=/your/file` did not take any effect. – Heihade1 Mar 31 '19 at 14:59