Total Pageviews


January 21, 2018

Ansible Vault - Lets encrypt sensitive data while automation

by 4hathacker  |  in Redhat Enterprise Linux at  11:17 AM

Hello Everyone !

This is MyAnsibleQuest!!!

In the previous posts, I have discussed a lot of information and practical usage of Ansible automation and its workflow using simple examples to understand concepts in Ansible. While engaging with MySql server automated installation in one of the previous post, I have mentioned the database password and other datacenter vars in the "/etc/ansible/hosts" file.

I would like to make it clear, that for doing experiments in your lab test environment, it is not a critical issue. But while doing a large cluster management, engaging a lot of different departments together, hard coded passwords in a file comes under bad practices. Its dangerous to quote secret passwords and critical information in files. One solution in this respect will be the usage of good quality encryption standards to randomize/hide the information such that no other person will be able to understand the same without your permission. This extra layer of security can be provided to our Ansible playbooks using Ansible-Vault. Ansible-Vault is a command line tool, used to encrypt the sensitive content and while doing the automation it will intelligently decrypt the same using a vault-password provided by the user.

In this post, I will be covering some basic usage of Ansible-Vault commands by creating a playbook to fetch the key content of an AWS S3 bucket. It also demonstrates the Ansible roles and file structure for Ansible automation.


We have an access to AWS account and being an S3 admin, I would like to fetch the bucket key content using the bucket names that will be provided by some other team of my company. I will write a small Ansible playbook for the same.

A brief introduction to AWS S3:

Amazon Web Services is one of the most popular on-demand cloud services and S3 stands for Simple Storage Service, an AWS service particularly for object storage. Here the key content, we would like to access is nothing but the files inside a folder. I have already installed "awscli" and configured the same with the "aws configure" command. This is a mandatory step in order to access the S3 content over AWS Cloud.

1. The file structure for our Ansible playbook lies in a directory named as vault_example. According to this structure, I have defined a main .yml file as my.yml. The roles will define the distribution of control and thus tasks could be easily manageable. So, I have one role as s3_admin which has one of its tasks as fetching a particular bucket data. And vars folder, contains all the necessary variables required for the completion of task. In vars folder, aws_creds.yml consists of my aws_access_key_id and aws_secret_access_key along with the bucket name.

Note: However, I have mentioned the AWS credentials in aws_creds.yml, the connection to S3 service completely rely on "~/.aws.cfg", which is automatically generated by running "aws configure" command. For accessing EC2 and other services, it may be required.

2. Lets have a look at main.yml file in tasks folder. In main.yml, I have include the aws_creds file, and accessed the bucket_name variable from the aws_creds.yml to list the bucket keys.

3. Now, we have to do our major stuff here, i.e., how to use Ansible-Vault for encrypting aws_creds.yml. For that, create a vault-password.txt file and quote ome random password of your choice. This password will be referenced for encryption and decryption of our aws_creds.yml file. Use "ansible-vault encrypt" command with location of file to be encrypted and the vault-password file with "--vault-password-file" option.

4. Check whether the given file is encrypted successfully or not. You can see in the file the encryption standard used for encrypting the file.e.g. AES-256.

5. Lets test our my.yml file which contains only the role entry as:

# file: my.yml
- hosts: localhost

    - { role: s3_admin }

I wrote the usual command for playing ansible playbook.

Oops!!! I got an error. It is looking for a secrets file to decrypt. Let me try this again, this time with our vault-password.txt file.

Bingo!!! Now our encryption as well as playbook both are working fine. Let us look at some other things we can do with Ansible-Vault.

6. I am looking to change my vault-password. This we can do with "ansible-vault rekey" command.

We can see that it will ask for New Vault Password twice to confirm. If the passwords fail to match, it shows error and rely on the previous password file. If the passwords match, it shows a messages for successful rekey.

7. To run the my.yml with the new password, we have to enter it manually. Because we haven't saved the same in any kind of passsword file.

With the "--ask-vault-pass" option, it asks for a vault password. If entered correctly, we can check the bucket keys as "hdfs-site.xml" and "logo.png".

8. Finally, we will look how to decrypt our aws_creds.yml file with the "ansible-vault decrypt" option.

This is a short practical introduction to Ansible-Vault in RHEL7 with Ansible v2.48 installed. There are some important best practices I would like to mention:

1. The vault variables should be written starting with "vault_". This will help in differentiating easily the vault variables and normal variables.

2. Do not take all the variables in vault encryption, otherwise it will be difficult for reviewing in case of errors, if occurred.

3. Ansible-Vault should only be used for encrypting sensitive information. Encrypting whole lot of .yml files unnecesarily without any requirement, will create more problems.

4. Following a proper directory structure for Ansible variables, vaults, main tasks within a proper role assigned will help in easy understanding and incur less time consumption.


Like Our Facebook Page

Nitin Sharma's DEV Profile
Proudly Designed by 4hathacker.