Ansible – Using the “Vault”

In the “Ansible – Getting Started” article I wrote previously we briefly touched on creating an Ansible vault together with a password file that was added to the main Ansible configuration file. So far we haven’t used it however in this article we are going to bring it into play.

Remember to check out my other articles on getting up and running with Ansible as well as the Ansible section ( for new articles.

The main objective we are going to try to achieve in this article is to store the password used for “sudo” (i.e. the “admin” account password) in a secure Ansible vault and then leverage the password via variables within a Playbook.

Note that a vault can be used to store anything, not just passwords.

Securing the Sudo Password

Our first step is to add the password we want to protect into the vault file by editing the vault using “ansible-vault edit NAME_OF_VAULT_FILE”. This opens the file with your systems default text editor after you have provided the vault password (once per session). In our scenario the default editor is “vi”.

As with all Ansible files, the first line is “—“.

The text we put into the vault file leverages the key value pair format (i.e. you assign a key to the value you wish to store so that it can be retrieved via the key at a later date). In the above example the key for my sudo password is “vault_sudo_password” (it could be anything as long as it is unique within the file). The value you wish to store should be in quotes.

Importing the Vault

An Ansible system may have many vaults stored on it, not just the one we have been using in this example. We therefore need to be able to tell each Playbook which vault file they are using by using external variables. This is a method for reading information into a Playbook that is hosted within a file that is external to the Playbook itself.

If we run the Playbook now then we will be back to one of the first errors we started with (i.e. an incorrect sudo password).

Using the Vault

Although we have added the contents of the vault file to the Playbook we haven’t de-encrypted it to extract data or passed the password to anything for use.

First lets tell the Playbook to use the password in the vault by referencing its vault key name and setting it as a variable in the Playbook called “ansible_become_password”.

Note: there are other methods of doing this such as using group files to include the “ansible_become_password” variable and value within which are automatically read for all machines in the corresponding group.

The vault key needs to be referenced by using double curly brackets (or braces) either side of the variable name, all enclosed in quote marks.

The last part of the puzzle is to de-encrypt the vault file when the Playbook is executed so that the password in the vault can be passed to the Playbook as it is executing as a variable. We do this by supplying the vault password as the Playbook is executed using the “–ask-vault-pass” parameter.

If you want the vault file to be automatically de-encrypted without providing any command line parameters then you can add the vault password to the password clear text file we created in the “Ansible – Getting Started” article (there are of course security implications if you do this). This file is globally referenced within ansible.cfg.

3 thoughts on “Ansible – Using the “Vault”

  1. Pingback: Ansible – Getting Started | vnuggets

  2. Pingback: Ansible – Getting Started with Playbooks | vnuggets

  3. Pingback: Ansible – Expanding Playbook Functionality | vnuggets

Comments are closed.