Skip to main content
HashnodeFOSS Experience

Command Palette

Search for a command to run...

Ansible. Securing your secrets. Noob level.

Updated
2 min read
Ansible. Securing your secrets. Noob level.
M
Maciej Wawrzyńczuk

So. You have you playbook in git and you want to keep some variables invisible to others. You probably should go for a ‘real’ password manager like Hashicorp Vault. Or pass (https://www.passwordstore.org/). Both have ready to use lookup plugins in Ansible. But let’s start with something more… local. The ansible vault.

First, you have to remember your password. Store it in the .vault_password file in your home dir. Just remember to make it readable only for you.

chmod go-rwx ~/.vault_password

Now, tell Ansible to use the file. You can do it in ansible.cfg.

[defaults]
vault_password_file = ~/.vault_password

We’re going to keep the secrets and private vars outside our repo. So - we’re going to create a kind of inventory which contain only variables.

mkdir -p ~/my_ansible_secrets/group_vars/all/

Then make ansible using it. We will add the new inventory to a config. Ansible don’t mind having multiple inventories. Now, our ansible.cfg looks like that

[defaults]
inventory = testinv.yaml, ~/my_ansible_secrets
vault_password_file = ~/.ansible_password

Now’s time to encrypt.

ansible-vault encrypt_string -n my_secret 'i wont tell' >> ~/my_ansible_secrets/group_vars/all/secrets.yaml

Please look into the file. Adding minuses at the beginning of an YAML file won’t hurt.

---
my_secret: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          66626630323438343166393164343162366634346362386163623036613333343465323635393839
          6638623963313135616434313165646232346132303338320a616137303230623436343031643436
          36613135363366303035653731616561333439383662383433346537643139653663396339346435
          6661313739643036360a393635313837346536633136303932316638386463343465376238373532
          6338

Time to test:

TADA! One more thing - let’s get rid of the ugly warning. Just create a a dummy inventory file.

 echo '[all]' > ~/my_ansible_secrets/dummy.ini

That’s it. You really should use and real password manager… Anyway - you probably still will want to keep some private vars - like username - outside your official repo. You can use “vars only inventory” technique whenever you need.

#ansible#automation#secrets#security

More from this blog

F

FOSS Experience

8 posts