Introducing Ansible Vault
Ansible 1.5, which will release in a few weeks, adds a new command-line tool “
ansible-vault”, and a new
/usr/bin/ansible-playbook option, “
The idea here is pretty simple -- there is often a need to keep in configuration files, for use in playbooks and templates, certain data that you don’t want to expose in source control.
To give credit where credit is due, this feature isn’t *exactly* a new idea. Chef has a feature called “encrypted data bags”, for instance, though “vault” adds Ansible’s own flavor to it.
To do this, instead of opening your favorite editor, run the following command, which will launch the editor defined by your $EDITOR, or will default to vim if this is not set:
ansible-vault create vars.yml
The tool will ask you for a password to encrypt the file with. To edit it again later:
ansible-vault edit vars.yml
And to run a playbook that uses encrypted data:
ansible-playbook site.yml --ask-vault-pass
Should you get the vault password wrong, you’ll get a friendly error message.
What can be encrypted? Lots of things. group_vars and host_vars files, vars_files, things included with “include_vars”, and even individual playbooks or task files. Basically everything that is YAML in Ansible can be used with ansible-vault. It’s really generic.
There are a few extra commands. Suppose you have a vault-encrypted file and want to change the password?
ansible-vault rekey vars.yml
Or if you want to encrypt an existing plaintext file?
ansible-vault encrypt vars.yml
Or to permanently decrypt an existing file?
ansible-vault decrypt vars.yml
If you want to encrypt, decrypt, or rekey multiple files at the same time, you can do this as follows:
ansible-vault [encrypt|decrypt|rekey] vars1.yml vars2.yml vars3.yml
So that’s ansible-vault! We hope you enjoy using it. If you would like to try it out now, check out the “devel” branch of the github repo, and:
Thanks to James Tanner for a lot of great work on this feature, and for lots of folks on the ansible-project list for being a great sounding board. Please direct any questions and ideas to the mailing list. Thanks!
Confessions Of Full Stack DevOp | Ansible's Architecture: Beyond Configuration Management | AnsibleWorks Galaxy Is Now Available | Ansible Community Momentum Continues With The Hiring Of Greg DeKoenigsberg