Hello World with Vault
Tip
We recommend to use the Sandbox to play around with this example.
Tip
All the files from this section are in hello-world-with-vault.zip.
Ansible includes a vault that is recommended to use to store passwords and other secrets.
Vault
vault encrypts the content of the file. For example,
$ANSIBLE_VAULT;1.1;AES256
35663732313535623662313965383035646632653230666333306566393339353136393336623732
3862316632326663663532326639343238636537386436370a333236646232383665303866656539
34643633653731346531393231303034646665383831626438376461363138363438326330326162
6133353030313661330a306362353337353531653436313664313733663064346161356461393930
61373634623462366138666261323365326233663935303136663536653361613930
The content can be decrypt with
ansible-vault view vault/production
Note
The password for the vault used in the example is 123. You must use a strong passwords, for example, a minimum of 8 randomly generated characters.
For our example, it returns
managed_node_password: 123
To create a new vault, we use
ansible-vault create path/to/new/vault/file
And to edit a existing vault, we use
ansible-vault edit path/to/existing/vault/file
Inventory
web:
hosts:
managed_node_01:
ansible_user: ansible
ansible_password: '{{ managed_node_password }}'
The above inventory uses the variable managed_node_01_password defined in the vault.
Note
The syntax {{ variable_name }} is from Jinja and will be detailed later in Hello World with Jinja.
Tip
As you will learn later in Variable precedence, code duplication can be avoided with the variable ansible_password being defined in the vault.
Playbook
- name: My first play
hosts:
- web
tasks:
- name: Print message
ansible.builtin.debug:
msg: Hello world
Running
When using vault, a few more arguments to ansible-playbook are required. --ask-vault-pass is used to prompt the user for the password for the vault and --extra-vars is used to load the variables defined in the vault.
Important
The location of the vault must be prepended with @ to inform Ansible that the argument is a file.
cd hello-world-with-vault
ansible-playbook \
--ask-vault-pass \
-i inventories/production.yml \
--extra-vars @vault/production \
playbook.yaml
Note
The password for the vault used in the example is 123. You must use a strong passwords, for example, a minimum of 8 randomly generated characters.
returns
PLAY [My first play] ***********************************************************
TASK [Gathering Facts] *********************************************************
ok: [managed_node_01]
TASK [Print message] ***********************************************************
ok: [managed_node_01] => {
"msg": "Hello world"
}
PLAY RECAP *********************************************************************
managed_node_01 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Continuous Delivery
In the previous example, we used --ask-vault-pass to manually provide the password for the vault. In the context of continuous delivery , we need another way to provide the password. Most continuous delivery solutions provides a way to store and access secrets. The simplest solution is to store the password for the vault as a secret in the continuous delivery platform and, during execution, temporarily write the vault password to a file that will be shared with Ansible using --vault-password-file. For example,
cd hello-world-with-vault
echo 123 > vault-password.txt
ansible-playbook \
--ask-vault-pass \
-i inventories/production.yml \
--extra-vars @vault/production \
--vault-password-file vault-password.txt \
playbook.yaml
uses the content of the file vault-password.txt.