In this tutorial, we'll explain Ansible Vault for secure secrets management covering the creation, editing, encryption, and usage of vault files in Ansible playbooks. This guide will help your readers understand the latest methods to securely manage sensitive data with Ansible Vault.
Introduction
Managing sensitive data such as API keys, passwords, and private configuration files is crucial for any IT infrastructure. Ansible Vault provides a secure way to handle secrets by encrypting them, keeping your sensitive information safe even in version control systems. This guide will cover how to:
- Encrypt sensitive data with Ansible Vault.
- Create, edit, and decrypt vault files.
- Use vault-encrypted variables securely in playbooks.
Prerequisites
To follow this guide, ensure you have:
- A system running dedicated server or KVM VPS (AlmaLinux, Ubuntu, CentOS, Rocky Linux etc).
- Ansible installed (ansible >= 2.13.0)
- Basic knowledge of YAML and Ansible playbooks.
Using Ansible Vault for Secure Secrets Management
1. What is Ansible Vault?
Ansible Vault is a feature that allows you to encrypt confidential information within Ansible projects. You can encrypt an entire file, variables, or any sensitive data used in your playbooks. Ansible Vault ensures that only authorized users can access this information by requiring a password for encryption and decryption.
2. Setting Up Ansible Vault
Before diving into the examples, make sure you have Ansible installed. To check if it's installed, run:
ansible --version
If Ansible is not installed, you can quickly install it using:
sudo apt update
sudo apt install ansible
3. Encrypting Sensitive Data with Ansible Vault
To encrypt sensitive data using Ansible Vault, follow these steps:
3.1. Create a Vault File
To create a new vault file named secrets.yml, use the following command:
ansible-vault create secrets.yml
This command will prompt you to enter a password to encrypt the file. You will use this password whenever you want to view, edit, or use the file in your playbooks.
3.2. Enter Sensitive Data
After creating the file, Ansible Vault will open a text editor where you can input sensitive information, like:
db_password: SuperSecurePassword123
api_key: "API_KEY_EXAMPLE"
secret_key: "SECRET_KEY_EXAMPLE"
Save and close the file when you're done. The secrets.yml file is now encrypted.
3.3. Viewing the Encrypted File
If you try to open secrets.yml using a text editor, you'll see unreadable content because it's encrypted. To view the content, use:
ansible-vault view secrets.yml
You'll be prompted to enter the password you used to create the vault file.
4. Editing Vault Files
To edit an existing vault file, use:
ansible-vault edit secrets.yml
You'll need to enter the password to access and modify the file. Once you're done editing, the file will be automatically encrypted again.
5. Decrypting Vault Files
If you want to decrypt a vault file back to plain text, use:
ansible-vault decrypt secrets.yml
This command will make the file readable without needing a password. Use it with caution if you need to temporarily remove encryption.
To re-encrypt the file after making changes, you can use:
ansible-vault encrypt secrets.yml
6. Encrypting Entire Playbooks or Variable Files
If you have a complete playbook or a file with sensitive variables that need encryption, you can do so using:
ansible-vault encrypt playbook.yml
Or encrypt multiple files simultaneously:
ansible-vault encrypt vars1.yml vars2.yml
7. Using Vault-Encrypted Variables in Playbooks
To use vault-encrypted variables securely in your playbooks, follow these steps:
7.1. Reference Encrypted Files in Playbooks
Assuming you have a secrets.yml file with encrypted variables, you can include it in your playbook using the vars_files directive:
---
- name: Deploy web application
hosts: web_servers
vars_files:
- secrets.yml
tasks:
- name: Install and configure database
mysql_user:
name: "admin"
password: "{{ db_password }}"
priv: "*.*:ALL"
host: "localhost"
state: present
7.2. Running Playbooks with Vault Password
To run a playbook that includes vault-encrypted files, you'll need to provide the vault password. You can do this using:
ansible-playbook playbook.yml --ask-vault-pass
This command will prompt you to enter the vault password to decrypt and use the sensitive data.
7.3. Using Vault Password Files
If you frequently run Ansible commands that use vault-encrypted files, you can store the vault password in a file and reference it:
Create a file called vault_password.txt and add the vault password (e.g., MySecureVaultPassword).
Change the file permissions to restrict access:
chmod 600 vault_password.txt
Use the --vault-password-file option with the Ansible command:
ansible-playbook playbook.yml --vault-password-file=vault_password.txt
8. Encrypting Specific Variables in Playbooks
Instead of encrypting an entire file, you can encrypt individual variables within a playbook. Here's how:
Use the ansible-vault encrypt_string command to generate an encrypted string for a variable:
ansible-vault encrypt_string 'SuperSecretPassword' --name 'db_password'
This will produce encrypted output like:
db_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
61386336623939323062643735383561373430353739306433333339306361313533646361393531
Add the encrypted variable directly to your playbook or variables file.
9. Managing Multiple Vault Passwords
If your infrastructure requires multiple vault files with different passwords, you can specify the vault IDs and use multiple passwords:
Create multiple vault-encrypted files:
ansible-vault create --vault-id dev@prompt secrets_dev.yml
ansible-vault create --vault-id prod@prompt secrets_prod.yml
Use these files in your playbook with the --vault-id option:
ansible-playbook playbook.yml --vault-id dev@prompt --vault-id prod@prompt
10. Best Practices for Ansible Vault
- Use Strong Vault Passwords: Use long and complex passwords for encryption.
- Restrict Access: Limit access to the vault password file and the vault itself.
- Do Not Hardcode Secrets: Always keep secrets in vault files, not in playbooks.
- Automate Vault Password Retrieval: For CI/CD environments, automate password handling using tools like Ansible Tower, AWX, or HashiCorp Vault.
- Backup Vault Files: Keep secure backups of encrypted vault files.
Conclusion
Ansible Vault is a powerful tool for managing secrets securely. By encrypting sensitive data, you ensure that only authorized users have access to it, even if your playbooks are stored in a public repository. The steps outlined here should provide a solid foundation for using Ansible Vault effectively, protecting your infrastructure from potential security breaches.
Feel free to share this guide with others who need to manage secrets securely using Ansible Vault!
This guide should help your blog readers understand Ansible Vault comprehensively, from the basics to best practices for secure secrets management.
