35 lines
2.1 KiB
Markdown
35 lines
2.1 KiB
Markdown
---
|
|
title: "Keeping secrets with Ansible Vault"
|
|
pubDate: 2022-09-08
|
|
permalink: "archive/2022/09/08/keeping-secrets-with-ansible-vault"
|
|
tags: ["ansible"]
|
|
---
|
|
|
|
In the last few posts, I've talked about using Ansible for configuring servers and local environments, during both of which, you're likely to have some sensitive or secret values. These could be database credentials within your application and on your server, and your SSH private keys within your local environment.
|
|
|
|
Rather than committing these to a code repository in plain text, Ansible includes the `ansible-vault` command to encrypt values.
|
|
|
|
To see this working, run `ansible-vault encrypt_string my-secret-password`, enter a password, and then you should see something like this:
|
|
|
|
```
|
|
!vault |
|
|
$ANSIBLE_VAULT;1.1;AES256
|
|
33353031663366313132333831343930643830346531666564363562666136383838343235646661
|
|
6336326637333230396133393936646636346230623932650a333035303265383437633032326566
|
|
38616262653933353033376161633961323666366132633033633933653763373539613434333039
|
|
6132623630643261300a346438636332613963623231623161626133393464643634663735303664
|
|
66306433633363643561316362663464646139626533323363663337363361633333
|
|
```
|
|
|
|
This is the encrypted version of that password, and this could be committed and pushed to a code repository.
|
|
|
|
You can use it within a playbook, and you'll be prompted to re-enter the password so that Ansible can decrypt and use it.
|
|
|
|
Rather than a single string, you could have a file of variables that you want to encrypt. You can do this by running `ansible-vault encrypt vault.yml` and include it as before. Again, you'll be prompted by Ansible so that it can decrypt and use the values.
|
|
|
|
For an example of how I'm using Ansible Vault, see [the Dransible repository](https://github.com/opdavies/dransible/tree/986ba5097d62ff4cd0e637d40181bab2c4417f2e/tools/ansible) on GitHub or my [ Deploying PHP applications with Ansible, Ansible Vault and Ansistrano]({{site.url}}/presentations/deploying-php-ansible-ansistrano) talk.
|
|
|
|
---
|
|
|
|
Want to learn more about how I use Ansible? [Register for my upcoming free email course]({{site.url}}/ansible-course).
|