Category Archives: Ansible

ALL ABOUT ANSIBLE VAULT

All About Ansible Vault

This blog is about using ansible vault. Vault is a way to encrypt subtle information in Ansible scripts.

A distinctive Ansible setup comprises some sort of secret to fully setup a server or application. The common types of “secret” include passwords, SSH keys, SSL certificates, API tokens and whatever which the user do not want the public to see.

Since it is common to store Ansible configurations in version control, we need a way to store confidential data securely.

Ansible Vault is the answer to this. Ansible Vault can encrypt anything inside of a YAML file, using a password of the user choice.

USING ANSIBLE VAULT

A classic use of Ansible Vault is to encrypt variable files. Vault can encrypt any YAML file, but the most common files to encrypt are:

* Files within the group_vars directory
* A role’s defaults/main.yml file
* A role’s vars/main.yml file
* Any other file used to store variables.

ENCRYPTING AN EXISTING FILE

The characteristic use case is to have a normal, plaintext variable file to encrypt. Using ansible-vault, we can encrypt and define the password needed to decrypt later:

# Encrypt a role’s defaults/main.yml file ansible-vault encrypt defaults/main.yml > New Vault password: > Confirm New Vault password: > Encryption successful

The ansible-vault command will request the user for a password twice. Once that is done, the file will be encrypted. If the user edits the file directly, the user will just see encrypted text. It will be something like this:

$ANSIBLE_VAULT;1.1;AES256
65326233363731663631646134306563353236653338646433343838373437373430376464616339 3333383233373465353131323237636538363361316431380a643336643862663739623631616530 35356361626434653066316661373863313362396162646365343166646231653165303431636139 6230366164363138340a356631633930323032653466626531383261613539633365366631623238 32396637623866633135363231346664303730353230623439633666386662346432363164393438

CREATING AN ENCRYPTED FILE

If the user wants to create a new file instead of encrypting an existing one, the user can use the create command:

ansible-vault create defaults/extra.yml > New Vault password: > Confirm New Vault password:

EDITING A FILE

Once the user encrypts a file, the user can only edit the file by using ansible-vault. Here is how to edit the file after it is been encrypted:

ansible-vault edit defaults/main.yml > Vault password:
This will ask for the password used to encrypt the file.
You’ll lose your data if you lose your password!

ENCRYPTING SPECIFIC VARIABLES

The user does not have to encrypt a whole file! The user can track the changes in git, where the user will not have an entire file changing for just a small change.

The most basic use case is, to run it interactively on the CLI to get the formatted YAML as output:

ansible-vault encrypt_string > New Vault password: > Confirm New Vault password: > Reading plaintext input from stdin. (ctrl-d to end input) > this is a plaintext string > !vault | > $ANSIBLE_VAULT;1.1;AES256 >

39393766663761653337386436636466396531353261383237613531356531343930663133623839
>
3436613834303264613038623432303837393261663233640a363633343337623065613166306363
>
37336132363462386138343535346264333061656134636631326164643035313433393831616131
>
3635613565373939310a316132313764356432333366396533663965333162336538663432323334
> 33656365303733303664353961363563313236396262313739343461383036333561 >
Encryption successful

WHAT IS A ANSIBLE TOWER?

What is a Ansible Tower?

Ansible Tower (formerly ‘AWX’) is a web-based solution that makes Ansible even more easy to use for IT teams of all kinds. It’s designed to be the hub for all of your automation tasks.

Tower allows you to control access to who can access what, even allowing sharing of SSH credentials without someone being able to transfer those credentials. Inventory can be graphically managed or synced with a wide variety of cloud sources. It logs all of your jobs, integrates well with LDAP, and has an amazing browsable REST API. Command line tools are available for easy integration with Jenkins as well. Provisioning callbacks provide great support for autoscaling topologies.

WHAT ARE ANSIBLE PLAYBOOKS?

What are ansible playbooks?

Playbooks express configuration, deployment, and orchestration in Ansible. The Playbook format is in the form of YAML. Each Playbook maps a group of hosts to a set of roles. Each role is represented by calls to Ansible call tasks.