Ansible provides a secure mechanism to store sensitive information in an encrypted format. In some cases, we might need to supply account password or secure key in the playbook. If we store such a information in a plain text file, we could compromise system security. In this article, we will see that how to encrypt the playbook, edit the encrypted playbook and rekeying the encrypted files.
Creating the Encrypted playbook:
1. Login to the Ansible server.
2. Let’s create an encrypted password to update all the ansible hosts root password. (password: welcome)
[linadm@ansible-server automation]$ python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(getpass.getpass())" Password: $6$rounds=656000$AmI1LlHNw3l3F7Xb$fDeo0QBtkMkMV02dmDQEn2fS588QZ4R/bDz81FPHJ4Jx2fi7lBE/RS1xbSMYmxD60iDbAqwdaosnC00oG/Vo0/ [linadm@ansible-server automation]$
3. Created a first encrypted playbook using the ansible-vault command. You need to set the password for the encrypted playbook.
[linadm@ansible-server automation]$ ansible-vault create reset_root_password.yaml New Vault password: Confirm New Vault password:
4. Here are the playbook contents to update the root password for the all the hosts. (To set “welcome” as root password)
---
- hosts: all
become: yes
gather_facts: no
tasks:
- name: Reset the account password
user:
name: root
update_password: always
password: $6$rounds=656000$AmI1LlHNw3l3F7Xb$fDeo0QBtkMkMV02dmDQEn2fS588QZ4R/bDz81FPHJ4Jx2fi7lBE/RS1xbSMYmxD60iDbAqwdaosnC00oG/Vo0/
Frequent queries regarding Ansible Vault:
- How to run the Encrypted Ansible Playbook? Execute the playbook which we have created in the previous section like below. “lin-servers.1” is the adhoc host inventory file.
[linadm@ansible-server automation]$ ansible-playbook -i lin-servers.1 reset_root_password.yaml --ask-vault-pass Vault password: PLAY [all] ******************************************************************************* TASK [Reset the account password] ******************************************************************************************* changed: [192.168.3.151] PLAY RECAP ******************************************************************************** 192.168.3.151 : ok=1 changed=1 unreachable=0 failed=0 [linadm@ansible-server automation]$
- How to edit the encrypted Ansible vault playbook? use “edit” option. You must provide the ansible vault passsword.
[linadm@ansible-server automation]$ ansible-vault edit reset_root_password.yaml Vault password:
- How to set the new password for Ansible vault? You must remember the old password to rekey.
[linadm@ansible-server automation]$ ansible-vault rekey reset_root_password.yaml Vault password: New Vault password: Confirm New Vault password: Rekey successful [linadm@ansible-server automation]$
- How to view the encrypted Ansible vault file? use option “view” . (You can’t view the content using “cat” or “vi”)
[linadm@ansible-server automation]$ ansible-vault view reset_root_password.yaml
Vault password:
---
- hosts: all
become: yes
gather_facts: no
tasks:
- name: Reset the account password
user:
name: root
update_password: always
password: $6$rounds=656000$AmI1LlHNw3l3F7Xb$fDeo0QBtkMkMV02dmDQEn2fS588QZ4R/bDz81FPHJ4Jx2fi7lBE/RS1xbSMYmxD60iDbAqwdaosnC00oG/Vo0/
[linadm@ansible-server automation]$
- How to decrypt the Ansible vault file? ( Converting the encrypted file as plain text )
[linadm@ansible-server automation]$ ansible-vault decrypt reset_root_password.yaml Vault password: Decryption successful [linadm@ansible-server automation]$ cat reset_root_password.yaml --- - hosts: all become: yes gather_facts: no
- How to re-encrypt the file using Ansible vault?
[linadm@ansible-server automation]$ ansible-vault encrypt reset_root_password.yaml New Vault password: Confirm New Vault password: Encryption successful [linadm@ansible-server automation]$
How to pass the Ansible vault password from a file
1. Store the Ansible vault password on a file.
[linadm@ansible-server automation]$ cat vault_pass unixarena [linadm@ansible-server automation]$ [linadm@ansible-server automation]$ ls -lrt vault_pass -rw------- 1 linadm linadm 355 Oct 28 18:18 vault_pass [linadm@ansible-server automation]$
2. Pass the stored password file as id.
[linadm@ansible-server automation]$ ansible-vault view --vault-id /home/linadm/automation/vault_pass reset_root_password.yaml --- - hosts: all become: yes gather_facts: no
3. You could pass the vault-id while running playbook as well.
[linadm@ansible-server automation]$ ansible-playbook --vault-id /home/linadm/automation/vault_pass -i lin-servers.1 reset_root_password.yaml PLAY [all] ****************************************************************************************** TASK [Reset the account password] **************************************************************************************************** changed: [192.168.3.151] PLAY RECAP ****************************************************************************************** 192.168.3.151 : ok=1 changed=1 unreachable=0 failed=0 [linadm@ansible-server automation]$
Hope this article is informative to you. Share it! Comment it!! Be Social!!!