How to use Ansible Vault for secret management
Encrypt sensitive data like passwords, API keys, and certificates using Ansible Vault.
How to use Ansible Vault for secret management
Encrypt sensitive data like passwords, API keys, and certificates using Ansible Vault.
Prerequisites
- Ansible installed.
Step-by-Step: Use Ansible Vault
Create an encrypted file with
ansible-vault create:ansible-vault create group_vars/production/vault.ymlAnsible prompts for a vault password, then opens the file in an editor. Add sensitive variables:
vault_db_password: "s3cret_p@ssw0rd" vault_api_key: "ak_live_xxxxxxxxxxxxx"Reference vault variables in playbooks like any other variable:
- name: Configure database template: src: db.conf.j2 dest: /etc/myapp/db.conf vars: db_password: "{{ vault_db_password }}"Run the playbook with
--ask-vault-passor--vault-password-file:ansible-playbook site.yml --ask-vault-pass ansible-playbook site.yml --vault-password-file ~/.vault_passEdit an existing encrypted file:
ansible-vault edit group_vars/production/vault.yml
How to Verify Vault Encryption
View the encrypted file — it should show
$ANSIBLE_VAULT;1.1;AES256 header, not plaintext:
cat group_vars/production/vault.yml