Ansible - Vault

Card Puncher Data Processing


A vault is the encrypted format of data through the combination of a label and a password known as vault id

Encrypted data may be:

This is available since Ansible 2.4.

The vault id (ie password) must be the same for all files / property value that you wish to use together at the same time.


A vault id is the vault identifier. The vault id format is:



  • label is an optional tag (Example:‘dev’, ‘prod’, ‘cloud’, etc)
  • password_source defines the source of the password (example from prompt, a file path, etc)


A label is a property of vault that categorize the vault.


  • ‘dev’, ‘prod’, ‘cloud’, etc

Therefore, files or vars can be encrypted with different passwords. Vault ids is a way to group sensitive data (for instance by environment dev, prod, …)

Example: A playbook can now include a vars file encrypted with a :

  • ‘dev’ vault id
  • and a ‘prod’ vault id.



The --vault-id cli option permits to pass its value.

ansible-playbook [--vault-id ...]
# Example
ansible-playbook --vault-id dev@dev-password --vault-id prod@prompt site.yml


If the vault content was encrypted using a –vault-id option, then the label of the vault id is stored with the vault content.

The default is to try this matching id first, then try the other vault ids in order if provided.

Default Conf:


The encrypted file or string has the following format:



  • the first line is an header where
    • ANSIBLE_VAULT is the vault format id,
    • 1.1 is the vault format version,
    • AES256 is the cipher id
  • the second line is the vaulttext. This is a concatenation of the ciphertext and a SHA256 digest with the result hexlifyied.


With Ansible - Ansible-vault


AnsibleVaultError: Decryption failed (no vault secrets were found that could decrypt)

One cause may be that you are using a execute script to store your secret and that this script does not have any execute right.

chmod +x

AnsibleError: input is not vault encrypted data

The input is not ansible ecnrypted.

Example: you can get that when you copy the key and that you copy two times the !vault statement.


vault_wkf_password: !vault |
  !vault |

Discover More
Card Puncher Data Processing
Ansible - Ansible-vault

ansible-vault is a command line utility that permits to add/get sensitive data (file or property value) into an encrypted format called a vault Example of sensitive data: password private keys ...
Card Puncher Data Processing
Ansible - Encrypt a property (password, private key)

How to encrypt a string property with ansible-vault In line String String from a File content You can encrypt a private key this way for instance. First create a file that will...
Card Puncher Data Processing
Ansible - User management

user management in Ansible - An how to of the User module of Ansible where: vault_dev_login_password is a vault variable (encrypted)...

Share this page:
Follow us:
Task Runner