Ansible Vault Tutorial

In this video we are going to learn how to use Ansible Vault. Ansible Vault is primarily useful where you want to store confidential data in a public / possibly-not-very-private source control system.

Personally, I do not find much use for the Vault. In my setup, my host_vars, group_vars, and certain Role default.yml files contain sensitive information. Primarily this relates to User details - passwords being the biggy.

As covered in the previous video, any passwords I use will have been passed through the mkpasswd function, and already be encrypted. As such, storing them in my set up is secure enough - for me. Your requirements may well vary, and as such, for how easy it is to use Ansible Vault, it seems foolish not to cover it.

The official Ansible documentation for Vault covers the main methods:

  • creating new encrypted files
  • editing existing encrypted files
  • encrypting existing unencrypted files
  • decrypting existing encrypted files
  • changing the password of existing encrypted files

You can see a demonstration of each of these steps in the first half of the video.

Using Ansible Vault Files

Once our data has been encrypted, using playbooks that contain encrypted data involves an additional option being passed into our ansible-playbook command.

From the docs this looks like:

ansible-playbook site.yml --ask-vault-pass

However, in the real world, should we have encrypted our group_vars then your command would likely look more like this:

ansible-playbook common-playbook.yml -i hosts -l target -k -K -s --ask-vault-pass

Upon running this command, you will be prompted for the usual passwords (SSH, and sudo), and then the Vault password.

Points of Note

It's not possible to encrypted only values. Or to put it another way, you can only encrypt entire files. I dislike this as it makes the files inherently less useful to me - greping becomes impossible for example.

You can only have one Vault password per Ansible playbook. That is, everything in this playbook run must use the same Vault password.

In Summary

For me the cons of using the Vault currently outweigh the pros.

I can live with my hashed passwords being stored inside unencrypted var files for my personal development projects.

For client work I do use the Vault. If you value your clients, I would suggest you do too.

Code For This Course

Get the code for this course.


# Title Duration
1 How To Install Ubuntu Server in Oracle VirtualBox 10:21
2 How to Rename our Ubuntu Server 02:00
3 Installing Ansible on Ubuntu Server 00:33
4 Safety First, Safety Second - Snapshots are like Ctrl+Z 00:11
5 Managing the Ansible Inventory Hosts File 02:16
6 Ansible Ad Hoc Commands 04:27
7 Introduction to Ansible Playbooks 02:14
8 Ansible Handlers 01:39
9 Ansible Variables 03:16
10 Git Your Deploy Just Right 05:35
11 Ansible Roles 05:51
12 Looping in Ansible with_items 04:35
13 Ansible Files For Beginners 06:16
14 Variable Precedence - Where To Put Your Role Vars? 04:13
15 Ansible Templates 05:51
16 Ansible Inventory With Our Own Hosts Files 06:57
17 How to Manage Users with Ansible 08:32
18 Ansible Vault Tutorial 03:48
19 Ansible Galaxy Tutorial 10:03
20 Real World Ansible - Common Role Walkthrough 06:20
21 Ansible MySQL Tutorial 13:44
22 Ansible Symfony and nginx 09:37