February 16, 2015

Ansible: Using Vault

Use Ansible vault to protect sensitive data witin your Ansible Roles!Let's see how to encrypt sensitive data in our Roles so we can use Ansible to handle sensitive data such as SSH private keys or passwords.

We'll create users on our server using Ansible, which will give us the opportunity to use Ansible Vault.

Setup "Users" role:


cd roles
mkdir users
cd users
mkdir files handlers meta templates tasks vars


We'll define no dependencies for this role:

dependencies: []


We want this file to be encrypted. Create roles/users/variables with Ansible Vault:

This command is run from the roles/users directory:

ansible-vault create vars/main.yml

Create a password for your vault and confirm it.

This will open a file to open in your editor of choice (defaults to Vim, or whatever is your default editor).

If you want to use nano over vim, export the EDITOR variable and set it to nano: export EDITOR=nano

Exit the main.yml file if you have not yet already. We'll create some passwords using the mkpasswd command using the SHA-512 method:

# Whois package contains "mkpasswd" command
sudo apt-get install -y whois

# Create a password for a user
mkpasswd --method=SHA-512

Copy the password hash generated, and edit the vars/main.yml file again using Vault:

ansible-vault edit vars/main.yml

Add your passwords and other data:

admin_password: <a generated password hash>
deploy_password: <another generated password hash>
shared_publickey: <your SSH public key to be placed in servers authorized_keys directory>

Save and quit that file. If you edit the file without Vault, you'll see that the file is encrypted.

Other ansible-vault commands available are seen via:

ansible-vault -h


Now that we created secure variables, we can use them in a task. Create file tasks/main.yml:

- name: Create Admin User
  user: name=admin password="{{ admin_password }}" groups=sudo shell=/bin/bash

- name: Add Admin Authorized Key
  authorized_key: user=admin key="{{ shared_publickey }}" state=present

- name: Create Deploy User
  user: name=deploy password="{{ deploy_password }}" groups=www-data shell=/bin/bash

- name: Add Deploy Authorized Key
  authorized_key: user=deploy key="{{ shared_publickey }}" state=present

Now adjust the nginx.yml file to be named servers.yml and run it.

 - hosts: web
   sudo: yes
   user: root
    - nginx
    - users

Test it and then run it:

ansible-playbook --syntax-check --ask-vault-pass servers.yml
ansible-playbook --ask-vault-pass --private-key=~/.ssh/id_ansible servers.yml

Then we can log into our servers and check to ensure the servers exist.

On a remote server:

# Check for user "admin" and "deploy"
cat /etc/passwd

From the local computer, try logging in as one of the new users!

# For me, logging in using the Ansible SSH key looked like this:
ssh -i ~/.ssh/id_ansible admin@


Ansible: Roles


Ansible: Using Vault

All Topics