Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Ansible Vault: Securing Sensitive Information

DZone's Guide to

Ansible Vault: Securing Sensitive Information

In this article, we're going to look at using Ansible vault to ping a windows server, and secure the information on that server.

· Security Zone
Free Resource

Address your unique security needs at every stage of the software development life cycle. Brought to you in partnership with Synopsys.

If you have followed my previous articles, we have been using plain text to store ssh passwords for accessing Windows. This is a big NO NO in live environments!

Ansible comes with an encryption feature named "Ansible Vault" to tackle this concern. We will be using it to encrypt our ssh password in this lab.

Let's continue from our last article Ansible Galaxy: Ping Windows Servers. I am assuming you have successfully pinged the Windows servers. Let's get started.

Step 1. Edit Inventory File (hosts) located at /winservers/hosts and the replace value for ansible_ssh_pass with {{ win_pass }}  

Image title

Now that we have included a variable, Ansible will try to search for this variable in our galaxy "ping." All these variables are stored in /winservers/ping/vars/main.yml  

Step 2. Edit Vars- In the terminal window you will find:

 vi /winservers/ping/vars/main.yml 

Replace this content with:

 win_pass: P@ssword1234 

You may replace your windows server password here.

Save the file.

Step 3: Encrypt Your File Using Vault- In the terminal window, type:

 ansible-vault encrypt main.yml 

It will ask for a new vault password and a confirmation.

Image title

The password will be used whenever you want to edit or view content using vault.

Step 4. View Vault File Using vi

vi /winservers/ping/vars/main.yml

Image title

This is the encrypted version of the main.yml file. 

Step 5. View Vault Encrypted File

 ansible-vault view main.yml 

Vault will ask for the password that you created in Step 3 while encrypting the file. 

Image title


Step 6. Edit Vault Encrypted File

 ansible-vault edit main.yml 

Image title

You may make changes to the file and save, the encryption of the file takes place once you save the file.

Step 7. Executing the Playbook With Vault Password

Browse to  /winservers/ and type:

 ansible-playbook pingservers.yml 

You will get the following error:

Image title

Since we have used vault, we must use  --ask-vault-pass with our playbook command

 ansible-playbook pingservers.yml --ask-vault-pass 

Image title

Congratulations! You have successfully pinged your Windows Server while implementing Ansible Vault!

Thanks for reading!

Find out how Synopsys can help you build security and quality into your SDLC and supply chain. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.

Topics:
ansible ,vault ,security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}