For questions about Ansible Vault - an Ansible feature that allows keeping sensitive data in encrypted files rather than in plain text in various configuration files.
Questions tagged [ansible-vault]
12 questions
34
votes
5 answers
Where to put ansible-vault password
We are planning to use ansible vault in our project to prevent leaking passwords or keys in git.
The idea is to put all our sensitive data into a plain file then encrypt this file with ansible-vault using a password before pushing to git.
To…
storm
- 1,759
- 3
- 16
- 34
23
votes
1 answer
Git clean/smudge filters for ansible vault secrets
I am trying to setup clean/smudge filter in git to have automatic encrypting and decrypting of files containing secrets thru ansible-vault command.
Peculiarity of the ansible-vault command is that it is not idempotent (it creates a different binary…
ᴳᵁᴵᴰᴼ
- 1,173
- 10
- 22
17
votes
3 answers
What are best practices for using Ansible Vault on public CI's and Source Control Repositories like BitBucket?
Introduction
On a private CI's and Source Control Repositories like Gitlab-ce it is possible to copy an ~/.vault_pass.txt to the server and let it use by the CI to decrypt files using Ansible.
Problem
On public CI's and Source Control Repositories…
030
- 13,383
- 17
- 76
- 178
13
votes
2 answers
How do I run Ansible Azure playbooks while avoiding storing credentials in files?
Background
We use Ansible to provision and manage Azure infrastructure. At the moment we run Ansible "manually" i.e. we manually execute playbooks for various automated tasks. No CI infrastructure.
Probably not relevant but we manage our inventory…
Vish
- 601
- 5
- 14
10
votes
3 answers
Why could the encrypted Ansible files not be decrypted although the vault password file has been set?
Follow-up to this Q&A.
According to this and this documentation it should be possible to define a default vault password file by specifying vault_password_file = ~/.vault_pass.txt in one of the following files:
* ANSIBLE_CONFIG (an environment…
030
- 13,383
- 17
- 76
- 178
8
votes
2 answers
What are best practices of structuring encrypting variables since Ansible 2.3.0?
This document indicates that since Ansible 2.3 it should be possible to encrypt certain vars using a !vault | prefix instead of putting a variable and keys in a vault file and encrypt it completely.
notsecret: myvalue
mysecret: !vault |
…
030
- 13,383
- 17
- 76
- 178
4
votes
1 answer
How to ansible-vault files as they are commited to Git
I'm trying to use ansible-vault to secure the secret files in my project before I push them to Git.
There's loads of advice out there on how to set this up in part, but everything I've read is specifically for diff'ing these files, not how to…
Jim ReesPotter
- 191
- 1
- 5
4
votes
2 answers
How to store/retrieve multiple ansible-vault passwords within/from a single file
Update: As @yaobin pointed out. It appears they removed the part about the multiple passwords being in a single file. It was here as can be seen from web…
yurtesen
- 140
- 1
- 5
4
votes
2 answers
Including vault-encrypted variables in a task
I just recently started to use Ansible, and am trying to deploy a configuration file that contains a secret key and email (for credentials to use with an API). I encrypted them with ansible-vault encrypt_string ..., and added them to playbook:
-…
Lucky The Rabbit
- 95
- 1
- 2
- 5
2
votes
2 answers
Use an asymmetric cypher to secure Ansible vault
I'm trying to develop a Playbook which must handle sensitive user data (SSH keys, Registry credentials, etc.).
Only a user and the Ansible controller can see the data associated with that same user.
The data will be stored in a Git repository,…
Adrien H
- 121
- 3
1
vote
1 answer
ansible-pull ignore group_vars vault
How do I ignore the group_vars vault file when running ansible-pull?
My repository (among other stuff) does machine init, joining the domain and software updates. I would like the software part to be handled by ansible-pull. No passwords are…
Frank Vermeulen
- 21
- 2
0
votes
2 answers
Can I ask somehow ansible to ignore files in the inventory?
I get this:
[WARNING]: * Failed to parse /ansible/inventory/path/thing.sh with script plugin: problem running
/ansible/inventory/path/thing.sh --list ([Errno 13] Permission denied:
'/ansible/inventory/path/thing.sh')
[WARNING]: * Failed to parse…
peterh
- 222
- 1
- 13