DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations
Building Scalable Real-Time Apps with AstraDB and Vaadin
Register Now

Trending

  • How Web3 Is Driving Social and Financial Empowerment
  • Microservices With Apache Camel and Quarkus (Part 2)
  • 13 Impressive Ways To Improve the Developer’s Experience by Using AI
  • Turbocharge Ab Initio ETL Pipelines: Simple Tweaks for Maximum Performance Boost

Trending

  • How Web3 Is Driving Social and Financial Empowerment
  • Microservices With Apache Camel and Quarkus (Part 2)
  • 13 Impressive Ways To Improve the Developer’s Experience by Using AI
  • Turbocharge Ab Initio ETL Pipelines: Simple Tweaks for Maximum Performance Boost
  1. DZone
  2. Testing, Deployment, and Maintenance
  3. Deployment
  4. Managing Secrets for Automation Using Ansible Vault and Tower

Managing Secrets for Automation Using Ansible Vault and Tower

Managing secrets is essential for all businesses. In this tutorial, let's go into how to encrypt your secrets or sensitive data using the Ansible Vault tool.

Kalaiyarasi Durairaj user avatar by
Kalaiyarasi Durairaj
·
Aug. 12, 20 · Tutorial
Like (4)
Save
Tweet
Share
12.65K Views

Join the DZone community and get the full member experience.

Join For Free

In today's advanced technology, Managing secrets is essential for all businesses. Failing to manage the secrets under a tightly controlled security environment, may lead to worst consequences. In this tutorial, I am explaining how to encrypt your secrets or sensitive data using the Ansible Vault tool which is very useful for Automation.

Ansible Vault

Ansible is a configuration management tool from Redhat, which is a simple and powerful tool for infrastructure automation. During automation, it is important to hide sensitive data like API key, DB credentials, and server login credentials, etc, and exposing them is a threat to attack. Vault tool from Redhat Ansible provides the flexibility to encrypt these secrets in a very easy way.

Encrypt secrets using Ansible Vault

The following example will help you to understand how to encrypt secrets via ansible vault during automation. Let's create a role called manage-secret inside roles folder using ansible-galaxy command as below:

Shell
 




x


 
1
(ansible-venv) [test-user@linux-node dzone-ansible-secret]$ ls
2
inventory  playbook-httpd-install.yml  roles
3

          
4
(ansible-venv) [test-user@linux-node roles]$ ansible-galaxy init manage-secret
5
- Role manage-secret was created successfully
6

          
7
(ansible-venv) [test-user@linux-node dzone-ansible-secret]$ tree roles/manage-secret/
8
.
9
├── defaults
10
│   └── main.yml
11
├── files
12
├── handlers
13
│   └── main.yml
14
├── meta
15
│   └── main.yml
16
├── README.md
17
├── tasks
18
│   └── main.yml
19
├── templates
20
├── tests
21
│   ├── inventory
22
│   └── test.yml
23
└── vars
24
    └── main.yml
25

          
26
8 directories, 8 files


create secret.yml inside defaults directory, with secret data that you want to encrypt. You can use any editor or directly use ansible-vault create secret.yml command.

YAML
 




x


 
1
secret:
2
  api_token: "abc34ff-09fedf-oac5fc-ufh0ed-90defa"
3
  licence_key: "EERST36ENO43MOUNSL0SF24IUR"


To encrypt the secret, use encrypt key word along with ansible-vault command as shown below

Shell
 




x


 
1
(ansible-venv) [test-user@linux-node defaults]$ ansible-vault encrypt secret.yml
2
New Vault password: 
3
Confirm New Vault password: 
4
Encryption successful


now the content of the secret.yml file is in an encrypted format and difficult for readability.

Shell
 




xxxxxxxxxx
1
13


 
1
(ansible-venv) [test-user@linux-node defaults]$ cat secret.yml 
2
$ANSIBLE_VAULT;1.1;AES256
3
64366334656464366234396134613266316239353236616164643661313938306164383935333832
4
6564653932383864363938386465663666323237343533650a643534376263363061343062303565
5
39643133336466333539663130303261343138323036656233613035313630383764343037643136
6
3366333462613861390a353065313931353330663765323639353936376433643266363933373163
7
37623663653432346564646532663566386632623432376431373037653063373434643931396339
8
38666132303236353531326632363733363530653263393434636531313131653633363932376337
9
65663736303838343239333631356538366334396535396466346461653534383432643539386337
10
32396466313366386162346264366435373135376139303031313463663762373536393437666436
11
65633837373966666637383435396663333337636331346232616434666531386266333364373431
12
35626235346639353331653134636265646662623038663364336232326563633039376163376232
13
323361376464643630373931343331633833


use below ansible-vault edit command, to update or modify the secrets by providing a decryption key in the command prompt.

Shell
 




x


 
1
(ansible-env) [test-user@linux-node defaults]$ ansible-vault edit secret.yml 
2
Vault password: 


ansible-vault view command is used to view the contents of the secret file.

Read Secrets in Ansible Playbook

To read the secrets, let's edit main.yml under tasks directory as below. Read parameters of secret.yml file in task using module include_vars: "defaults/secret.yml"

YAML
 




xxxxxxxxxx
1
12


 
1
---
2
# tasks file for manage-secret
3
- name: Read secret file
4
  include_vars: "defaults/secret.yml"
5

          
6
- name: display API Token
7
  debug:
8
    msg: "{{ secret.api_token }}"
9

          
10
- name: display LICENCE Key"
11
  debug:
12
    msg: "{{ secret.licence_key }}"


Execute playbook as below and provide decryption key while prompts

Shell
 




x






1
(ansible-venv) [test-user@linux-node dzone-ansible-secret]$ ansible-playbook playbook-manage-secret.yml --ask-vault-pass
2
Vault password: 
3
[WARNING]: No inventory was parsed, only implicit localhost is available
4
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
5

          
6
PLAY [DZone ansible-vault demo] *********************************************************************************
7
TASK [Gathering Facts] *********************************************************************************
8
ok: [localhost]
9

          
10
TASK [manage-secret : Read secret file] *********************************************************************************
11
ok: [localhost]
12

          
13
TASK [manage-secret : display API Token] *********************************************************************************
14
ok: [localhost] => {
15
    "msg": "abc34ff-09fedf-oac5fc-ufh0ed-90defa"
16
}
17

          
18
TASK [manage-secret : display LICENCE Key] *********************************************************************************
19
ok: [localhost] => {
20
    "msg": "EERST36ENO43MOUNSL0SF24IUR"
21
}
22

          
23
PLAY RECAP *********************************************************************************
24
localhost                  : ok=5    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0  


But providing a password via terminal with a prompt is difficult while using automation and user may not be able to intervene to provide decryption key in command-line. Hence the alternate option for automation is, the decryption key can be read from the file. The below example shows, how the encryption key is read via file.

Shell
 




xxxxxxxxxx
1
25


 
1
(ansible-venv) [test-user@linux-node dzone-ansible-secret]$ ansible-playbook playbook-manage-secret.yml --vault-password-file /home/test-user/decrypt_key.txt
2
[WARNING]: No inventory was parsed, only implicit localhost is available
3
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
4

          
5
PLAY [DZone ansible-vault demo] *********************************************************************************
6

          
7
TASK [Gathering Facts] *********************************************************************************
8
ok: [localhost]
9

          
10
TASK [manage-secret : Read secret file] *********************************************************************************
11
ok: [localhost]
12

          
13
TASK [manage-secret : display API Token] *********************************************************************************
14
ok: [localhost] => {
15
    "msg": "abc34ff-09fedf-oac5fc-ufh0ed-90defa"
16
}
17

          
18
TASK [manage-secret : display LICENCE Key] *********************************************************************************
19
ok: [localhost] => {
20
    "msg": "EERST36ENO43MOUNSL0SF24IUR"
21
}
22

          
23
PLAY RECAP *********************************************************************************
24
localhost                  : ok=5    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   


But storing the decryption key in file is dangerous and vulnerable for the attack as anyone can read and can't be stored on git or any repository level.  So the best way to overcome this problem is to use Ansible Tower. 

Ansible Tower

Tower tool from Ansible Redhat provides a web-based user interface with enhanced features for efficient automation. Let's see how to create a vault credential to decrypt the secrets.

Decrypt Secret Using Ansible Tower Vault Credential

Click Credentials on the left navigation panel to create a new credential. Select Vault in credential type and enter your decryption key in Vault Password and save it.

Select Vault in credential type and enter your decryption key in Vault Password and save it.

Now map this ansible-vault-decryption-key vault credential in Ansible Tower templateNow map this ansible-vault-decryption-key vault credential in Ansible Tower template

You will be able to see the decrypted information in Tower Job
You will be able to see the decrypted information in Tower Job

Summary

Ansible from Redhat is widely used as a configuration management tool for infrastructure automation such as provisioning servers, middleware deployment, and configurations, etc.  While using the automated deployment and configuration process, it is important, not to expose the secret information outside. Ansible vault provides a more easy and simple way to encrypt secrets. In this tutorial, I have explained how we can manage these secrets using Ansible Vault and Tower.

Ansible (software)

Opinions expressed by DZone contributors are their own.

Trending

  • How Web3 Is Driving Social and Financial Empowerment
  • Microservices With Apache Camel and Quarkus (Part 2)
  • 13 Impressive Ways To Improve the Developer’s Experience by Using AI
  • Turbocharge Ab Initio ETL Pipelines: Simple Tweaks for Maximum Performance Boost

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com

Let's be friends: