DevOps teams often overlook a critical security gap: sensitive data like passwords, API keys, and tokens stored in plain text within configuration files. This oversight can lead to severe risks when files are pushed to version control systems like GitLab. Ansible Vault provides a straightforward solution by encrypting these secrets directly within existing YAML files, ensuring they remain protected without disrupting established workflows.
Why Plain-Text Secrets Are a Security Liability
Before adopting Ansible Vault, many teams store sensitive information in unencrypted variables files. A typical example might look like this in vars/main.yml:
ubuntu_sudo_password: MyPassword123
db_password: SuperSecret456
api_token: abcd1234efgh5678While this approach works during development, it becomes dangerous in production environments. When these files are committed to a repository, anyone with access can read the plain-text credentials. This vulnerability is particularly concerning for scheduled jobs or CI/CD pipelines, where automation relies on stored credentials. The moment these secrets are exposed, the entire infrastructure becomes susceptible to unauthorized access.
Encrypting Secrets with Ansible Vault
Ansible Vault simplifies securing sensitive data by encrypting specific values or entire files without altering the playbook structure. The process begins by creating a master password, which acts as the key to decrypt the data later. This password should be strong and stored securely, as it’s the only way to access encrypted secrets.
Encrypting Individual Variables
To encrypt a single variable, such as a password, use the following command:
ansible-vault encrypt_string 'MyPassword123' --name 'ubuntu_sudo_password'This command prompts for the vault password twice. The output is a block of encrypted text that can be pasted directly into the variables file:
ubuntu_sudo_password: !vault | $ANSIBLE_VAULT;1.1;AES256 66386439653236336462626566653337386235396138623934363161623364663834623437333132The rest of the file remains readable, maintaining clarity while protecting sensitive values. This method is ideal for teams with a few critical secrets, as it minimizes disruption to existing workflows.
Encrypting Entire Files for Bulk Protection
When dealing with multiple secrets, encrypting an entire file is more efficient. For example:
ansible-vault encrypt vars/secrets.ymlThis command encrypts the entire file, rendering it unreadable without the vault password. To edit the file later, use:
ansible-vault edit vars/secrets.ymlDecrypting the file permanently is also an option, but it should be done cautiously:
ansible-vault decrypt vars/secrets.ymlRunning Playbooks with Ansible Vault
Using encrypted secrets in command-line playbooks requires the vault password to decrypt values during execution. This is achieved by adding the --ask-vault-pass flag:
ansible-playbook patch.yml -i inventory/hosts.yml --ask-vault-passThe command prompts for the vault password, which is entered manually. While this works for local development, it becomes impractical in automated environments like AWX, where scheduled jobs cannot pause for manual input.
Automating Secrets in AWX with Vault Credentials
AWX, an open-source automation controller, simplifies managing secrets by allowing teams to store the vault password as a credential. This ensures that playbooks can decrypt secrets automatically during execution, eliminating the need for manual intervention.
Setting Up a Vault Credential in AWX
To configure a vault credential in AWX:
- Navigate to the AWX UI and select Credentials > Add.
- Choose the credential type as Ansible Vault.
- Enter a descriptive name and the vault password.
- Save the credential.
The vault password is stored encrypted within AWX and cannot be retrieved later. It’s referenced by name when attached to job templates.
Attaching Vault Credentials to Job Templates
To ensure a job template can access encrypted secrets:
- Open the job template in AWX UI and select Edit.
- In the Credentials field, search for and select the vault credential.
- Save the template.
Now, when AWX runs this template—whether manually, on a schedule, or as part of a workflow—it automatically decrypts the secrets using the stored credential. This seamless integration enables fully automated pipelines without compromising security.
Real-World Example: Secure Patch Management Workflow
Consider a patch management workflow that requires checking application health before applying updates. The workflow might include a playbook like pre_patch_check.yml with a vars/secrets.yml file containing encrypted credentials:
# vars/secrets.yml (encrypted with Ansible Vault)
ubuntu_sudo_password: !vault | $ANSIBLE_VAULT;1.1;AES256 ...
db_connection_string: !vault | $ANSIBLE_VAULT;1.1;AES256 ...The playbook could include a task to verify application status:
--- - name: Pre-patch checks
hosts: all
vars_files:
- vars/secrets.yml
tasks:
- name: Check application status
ansible.builtin.uri:
url: " inventory_hostname }}/health"
headers:
Authorization: "Bearer {{ api_token }}"
register: health_checkFrom the command line, running this playbook with manual vault password entry would look like:
ansible-playbook pre_patch_check.yml -i inventory/hosts.yml --ask-vault-passIn AWX, the same workflow can run automatically without manual intervention, thanks to the stored vault credential.
Best Practices for Secure Secrets Management
Teams adopting Ansible Vault should follow these guidelines to maximize security and efficiency:
- Rotate Vault Passwords Regularly: Change the master vault password periodically to minimize risk if it’s compromised.
- Use Environment Variables for Vault Passwords: Store the vault password in a secure environment variable or a secrets manager, rather than hardcoding it.
- Limit Access to Vault Credentials: In AWX, restrict who can create or modify vault credentials to prevent unauthorized access.
- Document Secrets Management Policies: Clearly outline how secrets are encrypted, stored, and accessed across the team to ensure consistency.
- Test Playbooks Thoroughly: Validate that encrypted secrets work as expected in both local and automated environments before deployment.
By integrating Ansible Vault into your DevOps toolkit, you can secure sensitive data without sacrificing automation or workflow efficiency. The solution scales seamlessly from local development to enterprise-wide deployments, ensuring secrets remain protected at every stage.
AI summary
Learn to encrypt sensitive data in Ansible with Vault. Discover how to integrate AWX for automated secrets management without manual password entry.
