Ansible Vault

Up until now I have been running the examples via a SSH key that I setup initially with the system. You could set it up and run it with a user account also. However, if you want to automate things and have a lot of servers to run a playbook against, most likely the last thing you want is to sit type in the password being it for a user or an ssh key.

There are a couple of ways around this. The first one is that you could specify the password in a file and then “chown” the file to 400, so that only the user who created the file can read it. It is probably not the coolest thing, since if someone manages to find the password for your user, then they see the sudo password (Plus… you may have different sudo passwords for different servers. So it is in the end less optimal.

Ansible has a solution for this. It is called Ansible Vault. It is not perfect either though because the password must be either entered, stored as a file above or stored inside the playbook. However Ansible vault can encrypt the entire playbook file so that it is not easily readable.

One details is that when you start typing up your playbook, it is stored as a temp file and VIM does not mark up the file as it would with a normal YAML file. You are also asked to enter a password to encrypt the file with.


So let’s take an old example and use, mainly so we avoid the whole markup part and the errors that this brings.



You can see here that I have added a variable called ansible_sudo_pass and set the password in cleartext. (It is not my real sudo password btw). now saving it like normal and doing a dir of files the new file is there, it’s a YAML file like the others.


Additionalyl you may notice that the example005.yml file is somewhat restricted in access.

Now lets cat the output of the file:


The first line gives it away that it is an Ansible vault file and encryption type, the rest is masked content.

Running ansible-playbook also will not work here because it will simply say, hey I don’t understand this file.


So to run an encrypted playbook we need to use the ansible-vault password, when running ansible-playbook. So you can add the switch –ask-vault-pass as below here: