« Back to Blog

Maintaining Secure Secrets in Ansible v2.3

By Chris (Rain) Avila
Jun 26, 2017

Maintaining secure secrets in Ansible recently got even easier in the most recent 2.3 update. I’m personally a huge fan of it. Prior to Ansible v2.3, the typical way we would store sensitive variable data would be something along the lines of having a single file which would contain sensitive data, and then include that file into a play. The file itself would be encrypted using Ansible Vault and Ansible would handle decryption of that file at the time of play execution.

There’s no major downside to doing it this way. The Ansible Vault file being encrypted would typically need to be edited using “ansible-vault edit file –ask-vault-pass” and the file would open, you could edit it and save your changes and things were good to go. In Ansible v2.3, however, there’s now ways to encrypt a single variable rather than the whole files using the new “ansible-vault encrypt_string” command. With this feature, you can give it a single value to encrypt and have only that value encrypted rather than needing to encrypt the entire file.

Then include it into a variables file for later use.

You can also easily reference it later in a template that can be safely uploaded to Github without exposing your secrets.

When running plays, you will decrypt the password by either passing in the password at play execution or by storing the vault password into a separate file and setting an environment variable “ANSIBLE_VAULT_PASSWORD_FILE” to the path to the encryption key.