It’s better to treat passwords and sensitive data specially, and there are two primary ways to do this:
1. Use a separate secret management service,such as Vault⁶⁵by HashiCorp,Keywhiz⁶⁶by Square,or a hosted service like AWS’s Key Management Service⁶⁷ or Microsoft Azure’s Key Vault⁶⁸.
2. Use Ansible Vault, which is built into Ansible and stores encrypted passwords and othersensitive data alongside the rest of your playbook.
Let’s see how it works in practice. Here’s a playbook that connects to a service’s API, and requires a secure API key to do so:
---
- hosts: appserver
vars_files:
- vars/api_key.yml
tasks:
- name: Connect to server with our API key.
command: connect_to_service
environment:
key: "{{ myapp_service_api_key}}"
The vars_file,which is stored alongside the playbook,in plain text,looks like :
---
myapp_service_api_key: "yJJvPqhqgxyPZMispRycaVMBmBWPqYDf3DFanPxAMAm4UZcw"
For the best security, use Ansible Vault to encrypt the file. If you ever checked the original file into
version control, it’s also a good time to expire the old key and generate a new one, since the old key is part of the plaintext history of your project!
To encrypt the file with Vault, run:
ansible-vault encrypt api_key.yml
Enter a secure password for the file, and Ansible will encrypt it. If you open the file now, you should
see something like:
$ANSIBLE_VAULT;1.1;AES256
64653736356632643138303766363631616633343134376336656534343037336235663831653165
6264383962383830323462613138363261306233346139620a643130383630356638626230326437
36636335336161613935343466636565323530363963616433643633376561653364373832373162
3461626130623733640a613434376239363036626437646637346435616166366530383432313031
61666663656632333739623666643966643463356561373136326334303833386238366234316433
30613034356132303265626562323537643663313465646666623566366266313030626264363864
61363764363336616464663436346636653362643063373639633438383765316532613939396438
33353434313038313563Use –ask-vault-pass to supply the vault password at runtime
ansible-playbook test.yml --ask-vault-pass