Skip to content

In this tutorial, I try to explain how to structure one Ansible environment with Ansible Vault support and store Ansible vault password with GnuPG.

Notifications You must be signed in to change notification settings

harobed/ansible-vault-tutorial

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Ansible Vault Tutorial

In this tutorial, I try to explain how to structure one Ansible environment with:

  • Ansible Vault support
  • master key is stored in secret file encrypted with GPG
  • Many users support: master key can is encrypted with several GPG Keys

Prerequisite

$ brew install ansible gnupg

Optional, for test only:

$ brew install python3
$ brew cask install vagrant virtualbox
$ pip3 install paramiko

Create or edit secret file

If secret file not exist:

$ ansible-vault create hosts/group_vars/all/secrets.yml

or edit this file:

$ ansible-vault edit hosts/group_vars/all/secrets.yml

Show secret content:

$ ansible-vault view hosts/group_vars/all/secrets.yml
my_secret: password

Execute demo

Start vagrant server

$ vagrant up

Test if vagrant ping:

$ ansible -m ping all                                                                                                                                                                           ✘ 2 master ◼
server | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

Execute test playbook which use Ansible Vault

ansible-playbook playbooks/demo.yml                                                                                                                                                              

PLAY [server] ******************************************************************

TASK [Gathering Facts] *********************************************************
ok: [server]

TASK [demo : Upload template file to /home/ubuntu/test1.txt] *******************
ok: [server]

PLAY RECAP ********************************************************************
server                     : ok=2    changed=0    unreachable=0    failed=0

Check secret content in test1.txt file:

$ vagrant ssh -c "cat test1.txt"
variable: password

How Ansible Vault password is configured

Master key is stored in secrets/ansible-vault-password.txt.gpg file. Read secrets/README.md to know how to generate this file.

Default Vault password file is configured like this in ansible.cfg

vault_password_file = secrets/ansible-vault.sh

The secrets/ansible-vault.sh file is a script which use gpg to decrypt master key:

#!/bin/bash
gpg --decrypt --quiet --batch secrets/ansible-vault-password.txt.gpg

About

In this tutorial, I try to explain how to structure one Ansible environment with Ansible Vault support and store Ansible vault password with GnuPG.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published