Securing playbooks with ansible-vault

 ansible  ansible-vault  pass  security  sön 15 januari 2017

Ansible playbooks often contain sensitive information that need to be kept private: passwords, private keys, DNS transfer keys and so on. It becomes a real problem when you have to share the playbooks and their sensitive data with coworkers in a git repository.

To solve this problem ansible provides the ansible-vault tool. It encrypts files using a password:

$ ansible-vault create group_vars/host
New Vault password:
Confirm New Vault password:
$ ansible-vault edit group_vars/host
Vault password:

What you commit in your git repository is something that looks like this (only longer):


You then need to use the --ask-vault-pass or --vault-password-file options to unlock the encrypted file when you run your playbook. Nothing complicated, but:

  • what happens if you don't manually run ansible, but instead use an orchestration tool like Jenkins or Ansible Tower?
  • how do you share and store the password with your coworkers in a secure manner?

What to do?

A solution is to use an external tool to store and retrieve the password, for instance pass or HashiCorp Vault.

To do this you need to use a script instead a file with the --vault-password-file option. You also need to tell ansible to always use this file:

  1. Write a script in a vault_pass file. This script should print the ansible-vault password on the standard output:

    # using pass
    # or using vault
    vault read -field=password secret/
  2. Make the script executable:

    $ chmod +x vault_pass
  3. Add the following in your ansible.cfg file:

    vault_password_file = ./vault_pass
  4. Run your playbook:

    ansible-playbook your-playbook.yml

Pass or Vault as external tool?

pass is really easy to setup and is my tool of choice for personal projects. When working with several persons it becomes more complicated to use:

  • every user must store the shared password at a predefined path on their local machine
  • if the password must be changed every user must update it locally

vault is more complex to setup but offers some nice advantages:

  • no need for everyone to store the password locally
  • vault supports ACLs. If a user leaves the project, her permissions are revoked and the password updated only once on the vault server
  • password changes are easier to handle and can be done more often