Vault Configuration
Ansible Vault is a powerful feature that allows you to securely store sensitive information, such as passwords, API keys, and certificates, in encrypted files. By using Vault, you can keep your sensitive data separate from your playbooks and inventory files, ensuring that they are not exposed in plain text.
Creating the Vault File
To create a new Vault file, use the ansible-vault create
command followed by the name of the file you want to create. In this example, we'll create a file named vault.yml
:
ansible-vault create vault.yml
You will be prompted to enter a password to encrypt the file. Choose a strong password and remember it, as you will need it to edit or decrypt the file later.
Encrypting Sensitive Data
Once you have created the Vault file, you can add your sensitive data to it. Open the file using the ansible-vault edit
command:
ansible-vault edit vault.yml
Enter the password you set earlier, and the file will open in your default text editor. Add your sensitive variables in YAML format, for example:
---
ansible_become_pass: your_sudo_password
github_token: your_github_token
Save the file and exit the editor. The sensitive data is now encrypted and secure.
Using Vault Variables in Playbooks
To use the encrypted variables in your playbooks, you need to decrypt them during runtime. Ansible provides the --ask-vault-pass
option to prompt for the Vault password when running a playbook:
Step 1
Include the Vault variables in your playbook using the include_vars
module:
- name: Include Vault variables
include_vars:
file: vault.yml
Step 2
Run the playbook with the --ask-vault-pass
option:
ansible-playbook your_playbook.yml --ask-vault-pass
Ansible will prompt you for the Vault password and decrypt the variables during playbook execution.
If you don't want to enter the Vault password every time you run a playbook, you can use a password file. Create a file containing the password, and use the --vault-password-file
option followed by the path to the password file when running the playbook.
By using Ansible Vault, you can securely manage sensitive information in your homelab deployment. This ensures that your passwords, API keys, and other confidential data remain protected and are not inadvertently exposed in your configuration files.
For more information on advanced Vault usage, such as encrypting specific variables or using multiple Vault passwords, refer to the official Ansible Vault documentation (opens in a new tab).