Skip to content

Vault

A vault is a symmetrically encrypted file which contains variables. Docs

  • Create vault: ansible-vault create vault.yml
  • Encrypt file: ansible-vault encrypt vault.yml
  • Decrypt vault: ansible-vault decrypt vault.yml
  • Show contents: ansible-vault view vault.yml
  • Edit vault: ansible-vault edit vault.yml
  • Change password: ansible-vault rekey vault.yml

Example where the become_passwd variable is inside the vault vault.yml:

---
- name: localhost
  hosts: localhost
  vars:
    - ansible_become_password: '{{ become_passwd }}'
  vars_files:
    - vars/vault.yml
  roles:
    - role1
  tasks:
    - name: ping
      become: true
      ping:

Specify the vault when you run the playbook and you will be prompted for the password of the vault:

ansible-playbook -i inventory playbook.yml --ask-vault-pass

Vault's user guide

Encrypt a file

ansible-vault encrypt file.ext

When you copy the file, it will be placed unencrypted in the destination.

---
- name: localhost
  hosts: localhost
  tasks:
    - name: Copy the file
      ansible.builtin.copy:
        src: "./file.ext"
        dest: "/path/to/destination"

Install ansible

sudo pacman -S ansible

Create an Inventory; the file where you specify the hosts Ansible will manage

// Host based on IP
192.168.1.20

// Single host with name
[vps]
192.168.1.21

[vps:vars]
ansible_connection=ssh
ansible_port=2222
ansible_user=user
ansible_ssh_private_key_file=/path/to/key

// Web server group example
[web]
// From 192.168.1.21 to 192.168.1.29
192.168.1.3[1:9]

And test the connection to the hosts

ansible all --inventory=/path/to/inventory -m ping
// Debugging
ANSIBLE_DEBUG=1 ansible -vvvvv -i inventory all -m ping

YOU MUST HAVE PYTHON INSTALLED IN THE CLIENT.

Execute a command

ansible example -i inventory -a "free -m"

Execute a playbook

ansible-playbook -i inventory playbook.yml -f 10