Ansible playbooks often contain sensitive information that need to be kept private: passwords, private keys, DNS transfer keys and so on. It becomes a real problem when you have to share the playbooks and their sensitive data with coworkers in a git repository.
To solve this problem ansible provides the ansible-vault tool. It encrypts files using a password:
$ ansible-vault create group_vars/host New Vault password: Confirm New Vault password: EDIT EDIT EDIT $ ansible-vault edit group_vars/host Vault password: UPDATE UPDATE UPDATE
What you commit in your git repository is something that looks like this (only longer):
You then need to use the --ask-vault-pass or --vault-password-file options to unlock the encrypted file when you run your playbook. Nothing complicated, but:
- what happens if you don't manually run ansible, but instead use an orchestration tool like Jenkins or Ansible Tower?
- how do you share and store the password with your coworkers in a secure manner?
What to do?
To do this you need to use a script instead a file with the --vault-password-file option. You also need to tell ansible to always use this file:
Write a script in a vault_pass file. This script should print the ansible-vault password on the standard output:
#!/bin/sh # using pass pass pocentek.net/ansible/vault # or using vault vault read -field=password secret/pocentek.net/ansible_vault
Make the script executable:
$ chmod +x vault_pass
Add the following in your ansible.cfg file:
[defaults] vault_password_file = ./vault_pass
Run your playbook:
Pass or Vault as external tool?
pass is really easy to setup and is my tool of choice for personal projects. When working with several persons it becomes more complicated to use:
- every user must store the shared password at a predefined path on their local machine
- if the password must be changed every user must update it locally
vault is more complex to setup but offers some nice advantages:
- no need for everyone to store the password locally
- vault supports ACLs. If a user leaves the project, her permissions are revoked and the password updated only once on the vault server
- password changes are easier to handle and can be done more often