How to Encrypt Playbook using Ansible Vault ?

Ansible provides a secure mechanism to store sensitive information in an encrypted format. In some cases, we might need to supply account password or secure key in the playbook. If we store such a information in a plain text file,  we could compromise system security. In this article, we will see that how to encrypt the playbook, edit the encrypted playbook and rekeying the encrypted files.

Creating the Encrypted playbook:

1.  Login to the Ansible server.

2. Let’s create an encrypted password to update all the ansible hosts root password. (password: welcome)

[linadm@ansible-server automation]$ python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(getpass.getpass())"
Password:
$6$rounds=656000$AmI1LlHNw3l3F7Xb$fDeo0QBtkMkMV02dmDQEn2fS588QZ4R/bDz81FPHJ4Jx2fi7lBE/RS1xbSMYmxD60iDbAqwdaosnC00oG/Vo0/
[linadm@ansible-server automation]$

3. Created a first encrypted playbook using the ansible-vault command. You need to set the password for the encrypted playbook.

[linadm@ansible-server automation]$ ansible-vault create reset_root_password.yaml
New Vault password:
Confirm New Vault password:

4. Here are the playbook contents to update the root password for the all the hosts. (To set “welcome” as root password)

---

 - hosts: all
   become: yes
   gather_facts: no

   tasks:
    -  name: Reset the account password
       user:
         name: root
         update_password: always
         password: $6$rounds=656000$AmI1LlHNw3l3F7Xb$fDeo0QBtkMkMV02dmDQEn2fS588QZ4R/bDz81FPHJ4Jx2fi7lBE/RS1xbSMYmxD60iDbAqwdaosnC00oG/Vo0/

Frequent queries regarding Ansible Vault:

• How to run the Encrypted Ansible Playbook? Execute the playbook which we have created in the previous section like below. “lin-servers.1” is the adhoc host inventory file.

[linadm@ansible-server automation]$ ansible-playbook -i lin-servers.1 reset_root_password.yaml --ask-vault-pass
Vault password:

PLAY [all] *******************************************************************************

TASK [Reset the account password] *******************************************************************************************
changed: [192.168.3.151]

PLAY RECAP ********************************************************************************
192.168.3.151              : ok=1    changed=1    unreachable=0    failed=0

[linadm@ansible-server automation]$

• How to edit the encrypted Ansible vault playbook? use “edit” option. You must provide the ansible vault passsword.

[linadm@ansible-server automation]$ ansible-vault edit reset_root_password.yaml
Vault password:

• How to set the new password for Ansible vault? You must remember the old password to rekey.

[linadm@ansible-server automation]$ ansible-vault rekey  reset_root_password.yaml
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful
[linadm@ansible-server automation]$

• How to view the encrypted Ansible vault file? use option “view” . (You can’t view the content using “cat” or “vi”)

[linadm@ansible-server automation]$ ansible-vault view reset_root_password.yaml
Vault password:
---

 - hosts: all
   become: yes
   gather_facts: no

   tasks:
    -  name: Reset the account password
       user:
         name: root
         update_password: always
         password: $6$rounds=656000$AmI1LlHNw3l3F7Xb$fDeo0QBtkMkMV02dmDQEn2fS588QZ4R/bDz81FPHJ4Jx2fi7lBE/RS1xbSMYmxD60iDbAqwdaosnC00oG/Vo0/
[linadm@ansible-server automation]$

• How to decrypt the Ansible vault file? ( Converting the encrypted file as plain text )

[linadm@ansible-server automation]$ ansible-vault decrypt  reset_root_password.yaml
Vault password:
Decryption successful
[linadm@ansible-server automation]$ cat reset_root_password.yaml
---

 - hosts: all
   become: yes
   gather_facts: no

• How to re-encrypt the file using Ansible vault?

[linadm@ansible-server automation]$ ansible-vault encrypt reset_root_password.yaml
New Vault password:
Confirm New Vault password:
Encryption successful
[linadm@ansible-server automation]$

How to pass the Ansible vault password from a file

1. Store the Ansible vault password on a file.

[linadm@ansible-server automation]$ cat  vault_pass
unixarena
[linadm@ansible-server automation]$
[linadm@ansible-server automation]$ ls -lrt vault_pass
-rw------- 1 linadm linadm 355 Oct 28 18:18 vault_pass
[linadm@ansible-server automation]$

2. Pass the stored password file as id.

[linadm@ansible-server automation]$ ansible-vault view --vault-id /home/linadm/automation/vault_pass  reset_root_password.yaml
---

 - hosts: all
   become: yes
   gather_facts: no

3. You could pass the vault-id while running playbook as well.

[linadm@ansible-server automation]$ ansible-playbook --vault-id /home/linadm/automation/vault_pass -i lin-servers.1 reset_root_password.yaml

PLAY [all] ******************************************************************************************

TASK [Reset the account password] ****************************************************************************************************
changed: [192.168.3.151]

PLAY RECAP ******************************************************************************************
192.168.3.151              : ok=1    changed=1    unreachable=0    failed=0

[linadm@ansible-server automation]$

Hope this article is informative to you.   Share it! Comment it!! Be Social!!!

The post How to Encrypt Playbook using Ansible Vault ? appeared first on UnixArena.