About
ansible-vault is a command line utility that permits to add/get sensitive data (file or property value) into an encrypted format called a vault
Example of sensitive data:
When running a playbook, Ansible finds:
- the sensitive variables from an encrypted file / string
- and the other variables in a unencrypted file / string
Encrypted data can include
- group_vars/ or host_vars inventory variables,
- variables loaded by *include_vars* or *vars_files*, or variable files
- variables passed at the command line via the *-e @file.yml* or *-e @file.json* option of ansible-playbook
- Role variables and defaults are also included
- Ansible tasks, handlers, and other objects because they are data
- An individual task file
The vault id used with vault currently must be the same for all files you wish to use together at the same time.
Articles Related
Syntax
Usage: ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml]
encryption/decryption utility for Ansible data files
Options:
--ask-vault-pass ask for vault password
-h, --help show this help message and exit
--new-vault-id=NEW_VAULT_ID
the new vault identity to use for rekey
--new-vault-password-file=NEW_VAULT_PASSWORD_FILE
new vault password file for rekey
--vault-id=VAULT_IDS the vault identity to use
--vault-password-file=VAULT_PASSWORD_FILES
vault password file
-v, --verbose verbose mode (-vvv for more, -vvvv to enable
connection debugging)
--version show program's version number and exit
See 'ansible-vault <command> --help' for more information on a specific
command.
Management
Encrypt
When encrypting content one vault-id can be used.
String
Encrypt a property value. See Ansible - Encrypt a property (password, private key)
File
ansible-vault encrypt
Decrypt
Decrypt-string
Decrypt a property value. See Ansible - Decrypt a property (password, private key)
Run
Password file
- to use a password file dev-password for the label dev:
ansible-playbook --vault-id dev@dev-password site.yml
- Prior to Ansible 2.4 for only one label. Default password file can be specified in a conf. See default-vault-password-file
ansible-playbook --vault-password-file dev-password site.yml
Example
- to use a password store in the text file /path/to/my/vault-password-file:
ansible-playbook --vault-id /path/to/my/vault-password-file site.yml
Prompt
- To prompt for the dev vault id
ansible-playbook --vault-id dev@prompt site.yml
# Prior to Ansible 2.4
ansible-playbook --ask-vault-pass site.yml
Example:
- To prompt for a vault id password:
ansible-playbook --vault-id @prompt site.yml
executable script
To get the password from a vault password executable script my-vault-password.py:
ansible-playbook --vault-id my-vault-password.py
Support
ERROR! Decryption failed (no vault secrets were found that could decrypt) on - for -
Your vault passphrase is not the good one.