Recently I came across the fact that I need to encrypt passwords stored in Ansible YML files, as the scripts are published in a git repository which is synced to a Gitlab instance.
Therefore it was necessary to check the web for resources on ansible and encryption. I came across Ansible Vault which is quite easy to use.
Now lets get to the basics. First we create a YML-File which holds all the variables with the passwords:
my_store.yml --- # os user passwords (user: <pw>) test_pw: "my_Secret-Pw12!" orchestration_pw: "sUp1r-sEcr1t-pW"
Now as we have the password file in plain text it is time to encrypt the whole thing with the help of the Ansible Utility “ansible-vault”:
ansible-vault encrypt my_store.yml New Vault password: Confirm New Vault password: Encryption successful
Here we specify interactively the password to encrypt the passwordstore file.
As result we get the encrypted passwordstore file my_store.yml which is AES-256 encrypted.
cat my_store.yml $ANSIBLE_VAULT;1.1;AES256 39656561626663353564626130316562663561663032626537326231363732343531626265663734 6262363739316265336234303538633037343437343036300a323534373133383361356632326237 39356638613864363432346162353330303535343338303432316632346231643865646338373536 6330313136353434660a313266636235663831333462316530646165323364656634633435393837 64393663363835336636643837333134353834346463313932326130316365396664383139313538 61646362393566663934636139643162313431613339643930316139633534316263666638636461 34393263306362313564653365383566363961346165383136646263313134353136616265643666 30646638316339623938303633636261323830366237353761363762616332633561323565313937 61356364383161323762646165393038623632373665663164363965623031646439
Now that we have our encrypted store, it is time to use it in a playbook. For simplicity of this test case the playbook will do an include of the passwordstore-yml-file and will output via debug statement the passwords from the store. Now lets start with the main playbook:- hosts: localhost
show_vault.yml
--
- hosts: localhost
vars_files:
- my_store.yml
tasks:
- name: debug - show encrypted variables
debug:
msg: "Password1: {{ test_pw }} ; Password2: {{ orchestration_pw }}"
Now if we execute the playbook we will see the following result:
ansible-playbook --ask-vault-pass show_vault.yml
Vault password:
PLAY [localhost] *************************************************************************************************************************************
TASK [Gathering Facts] *******************************************************************************************************************************
ok: [localhost]
TASK [debug - show encrypted variables] **************************************************************************************************************
ok: [localhost] => {
"msg": "Password1: my_Secret-Pw12! ; Password2: sUp1r-sEcr1t-pW"
}
PLAY RECAP *******************************************************************************************************************************************
localhost : ok=2 changed=0 unreachable=0 failed=0
After typing in the password for the encrypted vault the playbook runs and with our debug task we can see that the passwords are available during execution in a decrypted way.
If you don’t want to type in the password for the ansible vault encrypted files you could specify a file with the password included and pass it as a parameter to the ansible-playbook program:
first create the file which includes the password
cat vault_pw my_Vault_PW
After that it can be used with the ansible-playbook command:
ansible-playbook --vault-password-file=vault_pw show_vault.yml
If you want to use a random secure password for encryption and decryption of
your ansible vault password file a good choice is to use openssl for that.
openssl rand -base64 <Number> (Number is the length of the password in byte)
Example:
openssl rand -base64 64 | xargs > vault_pw cat vault_pw eV7sutwF6dV1qe5JzhCJiJXSqplOMLkHToap9YhaNSRtOFTTMpyFZwlCfXgG4sL9
The Pipe ‘|’ and xargs command is needed to concat the resulting password string to be in one line in the password file.
That’s it, now you are ready to use encrypted passwords/files in your ansible automation scripts. Please keep in mind that storing the password to decrypt the encrypted files in a special file is a security risk as this password is stored there unencrypted !!!