Introduction To Ansible Vault

Hi readers, in this blog we will be discussing Ansible vault. Also, we will be looking at how to encrypt different playbooks and how they can be decrypted.


The “Vault” is a feature of Ansible that allows you to keep sensitive data such as passwords or keys protected at rest, rather than as plain text in playbooks or roles.

Why use Ansible Vault?

Ansible is used for automation, the playbooks contain certain credentials, SSL certificates ,or other sensitive data. Usually, we store our sensitive data in the variable of vault.

How Ansible Vault help us?

It helps us to encrypt or decrypt sensitive variables that contain information and there are 2 ways to take care of sensitive data :

  1. encrypt variables and embed them into the playbook.

  2. encrypt the entire playbook.

Creating an Encrypted File

To create an encrypted file, use the ansible-vault to create command ,and enter the filename.

When prompted, create a password and then confirm it by re-typing it.

$ ansible-vault create example.yml 
New Vault password: 
Confirm New Vault password: 

After confirming our password, a new file is created and will open an editing window. By default, the editor for Vault is vi. Also, we can add data, save ,and exit.

we can see out newly created file

$ cat example.yml 

Encrypting Unencrypted Files

Suppose we have a file which we wish to encrypt, we can use the ansible-vault encrypt command.

$ ansible-vault encrypt oldfile.yml
New Vault password: 
Confirm New Vault password: 

Then, you will be prompted to insert and confirm the password after then your file is encrypted.

Editing Encrypted Files

If we want to edit our encrypted file, we can edit it using ansible-vault edit command.

$ ansible-vault edit example.yml 
Vault password:

Viewing Encrypted File

If we want to view our encrypted file, we can use the ansible-vault view command.

 ansible-vault view example.yml
Vault password: 
- name: mukesh
  hosts: WORKSPACE
    - name: copying a file.
        src: /home/knoldus/example.yml
        dest: /home/

Rekeying Vault Password

Also, we can change the vault password for which we can use the **ansible-vault rekey **command.


We will be prompted with the vault’s current password and then we will add a new password and finally confirming the new password.

Decrypting Encrypted Files

If we want to decrypt an encrypted file, we can use ansible-vault decrypt command. Then, we will be prompted to insert the vault password.

$ ansible-vault decrypt example.yaml 
Vault password: 
Decryption successful

#devops #security #security controls #ansble-vault #data privacy #encryption

What is GEEK

Buddha Community

Introduction To Ansible Vault

Awesome Ansible List

Awesome Ansible

A collaborative curated list of awesome Ansible resources, tools, Roles, tutorials and other related stuff.

Ansible is an open source toolkit, written in Python, it is used for configuration management, application deployment, continuous delivery, IT infrastructure automation and automation in general.

Official resources

Official resources by and for Ansible.


Places where to chat with the Ansible community


Tutorials and courses to learn Ansible.


Books about Ansible.


Video tutorials and Ansible training.


Tools for and using Ansible.

  • Ansible Tower - Ansible Tower by Red Hat helps you scale IT automation, manage complex deployments and speed productivity. Extend the power of Ansible to your entire team.
  • AWX - AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is the upstream project for Tower, a commercial derivative of AWX.
  • Ansible Lint - Checks Playbooks for best practices and behavior that could potentially be improved.
  • Ansible Later - Another best practice scanner. Checks Playbooks and Roles for best practices and behavior that could potentially be improved.
  • Ansible Doctor - Simple annotation like documentation generator for Ansible roles based on Jinja2 templates.
  • Ansible cmdb - Takes the output of Ansible's fact gathering and converts it into a static HTML page.
  • ARA - ARA Records Ansible playbooks and makes them easier to understand and troubleshoot with a reporting API, UI and CLI.
  • Mitogen for Ansible - Speed up Ansible substantially with Mitogen.
  • Molecule - Molecule aids in the development and testing of Ansible roles.
  • Packer Ansible Provisioner - This Provisioner can be used to automate VM Image creation via Packer with Ansible.
  • Excel Ansible Inventory - Turn any Excel Spreadsheet into an Ansible Inventory.
  • - Ansible dynamic inventory script for parsing Terraform state files.
  • ansible-navigator - A text-based user interface (TUI) for Ansible.
  • squest - Self-service portal for Ansible Tower job templates.
  • ansible-bender - Tool which bends containers using Ansible playbooks and turns them into container images.
  • ansible-runner - A tool and python library that helps when interfacing with Ansible directly or as part of another system whether that be through a container image interface, as a standalone tool, or as a Python module that can be imported.
  • ansible-builder - Using Ansible content that depends on non-default dependencies can be tricky. Packages must be installed on each node, play nicely with other software installed on the host system, and be kept in sync.
  • kics - SAST Tool that scans your ansible infrastructure as code playbooks for security vulnverables, compliance issues and misconfigurations.
  • php-ansible Library - OOP-Wrapper for Ansible, making Ansible available in PHP.
  • TD4A - Design aid for building and testing jinja2 templates, combines data in yaml format with a jinja2 template and render the output.
  • Ansible Playbook Grapher - Command line tool to create a graph representing your Ansible playbook plays, tasks and roles.
  • ansible-doc-extractor - A tool that extracts documentation from Ansible modules in the HTML form.
  • Ansible Semaphore - Ansible Semaphore is a modern UI for Ansible.

Blog posts and opinions

Best practices and other opinions on Ansible.


Playbooks, Roles and Collections

Awesome production ready Playbooks, Roles and Collections to get you up and running.

Download Details:

Author: ansible-community
Source Code:

License: CC0-1.0 license


Securing your secrets using vault in Kubernetes — Part 2

In Part 1 of this series, we have learned how to Install Vault-k8s and enable the Kubernetes Auth Mechanism. In this tutorial let’s learn how automatically inject these secrets into our Kubernetes Deployments/Pods.

I have used Helm to create the manifests files. Helm charts are easier to create, version, share, and publish. Copying-and-Pasting the same manifests across multiple environments can be avoided and the same charts can be re-used by maintaining a different final overrides file.

#hashicorp-vault #kubernetes #vault-k8s #vault #kubernetes-secret

Securing your secrets using vault-k8s in Kubernetes — Part 1

Kubernetes secrets let you store and manage sensitive data such as passwords, ssh keys, Tls certificates, etc. However, there are few limitations to using the build-in secret management for Kubernetes. So, we often tend to rely on some third-party tools to handle secret management. One such tool is HashiCorp Vault. In this series of articles let’s learn to secure our secrets using HashiCorp Vault-k8s in Kubernetes.

#vault #kubernetes #hashicorp-vault #vault-k8s #kubernetes-secret

akshay L

akshay L


Ansible Installation & Configuration on AWS

In this video you will learn Ansible Installation & Configuration on AWS and how to install & configure ansible on ec2 step by step.

Why DevOps is important?

DevOps implementation is going through the roof with most of the largest software organizations around the world invested heavily in its implementation. The core values of devops is effectively based on the Agile Manifesto but with one slight change which moves the focus from creating a working software to one that is more interested in the end-to-end software service mechanism and delivery.

Why should you opt for a DevOps career?

For very long times the development and the operations teams of any software enterprise have stayed at arm’s length. But this organizational cultural shift thanks to devops a lot of changes are happening in forward-thinking enterprises. Learning devops will help you master all the skills needed in order to successfully build, operate, monitor, measure and improve the various processes in IT enterprises by better integrating development and operations. You will grab the best jobs in top MNCs after finishing this Intellipaat devops online training. The entire Intellipaat devops course is in line with the industry needs. There is a huge demand for devops certified professional. The salaries for devops professional are very good.

#Install Ansible #Ansible Installation and Configurationon AWS #Ansible

Fabiola  Auma

Fabiola Auma


Ansible Vault: Ansible Lookup Plugin for Secrets Stored in Vault

ansible-vault lookup module 

This is a lookup module for secrets stored in HashiCorp Vault. Supports Ansible 1.9.x and 2.x

Deprecation notice

ansible-vault has been deprecated due to lack of personal usage of ansible and vault over the last years. There are other plugins such as hashivault which provide the same functionality and are better maintained.


lookup plugins can be loaded from several different locations similar to $PATH, see lookup_plugins. An example setup can be found in the tests directory.

The source for the plugin can be pointed to via a requirements.yml file, and accessed via ansible-galaxy.


The address to the Vault server:

export VAULT_ADDR=

The plugin supports both Vault auth token and GitHub auth token. To use Vault auth token:

export VAULT_TOKEN=56f48aef-8ad3-a0c4-447b-8e96990776ff

If your Vault server is configured to use GitHub auth token:

export VAULT_GITHUB_API_TOKEN=56f48aef-8ad3-a0c4-447b-8e96990776ff

The plugin also supports Vault's CA-related environment variables, to enable use of a server certificate issued by a not-widely-trusted Certificate Authority. Use of this feature in the plugin requires Python 2.7.9.

export VAULT_CACERT=/etc/ssl/certs/localCA.pem
export VAULT_CAPATH=/etc/ssl/localCA

The Vault address, CA certificate, and path can also be set via the Ansible variables vault_addr, vault_cacert, and vault_capath, respectively.


This avoid the hostname check for Vault certificate (useful with self-signed certicates). This option can also be set via the Ansible variable vault_cahostverify.


This will disable ssl certs validation. VAULT_CACERT, VAULT_CAPATH and VAULT_CAHOSTVERIFY have to be unset. Can also be set via Ansible variable vault_skip_verify: <bool>.

For more information on setting variables in Ansible, see the variables docs.

The Vault token intentionally can not be set via an Ansible variable, as this is generally checked into revision control and would be a bad security practice somewhat defeating the purpose of using Vault. The token can be read from the file $HOME/.vault-token, as documented at Vault environment variables.

If any such parameter is set by both an environment variable and an alternative means, the environment variable takes precedence.


By default secrets fetched from Vault will be cached in memory, unless you specify


Note that secrets will be fetched once per fork (defaults to 5). If you turn off this feature by toggling above variable, all lookups will be done per node instead.

Approle support

If you want to use the Approle auth backend, you can do this by setting the follwing environment variables. If those vars are set, it is tried to get an approle token. If caching is enabled, the token is stored in the cache, so that it can be reused.

export ANSIBLE_HASHICORP_VAULT_ROLE_ID=ba78195c-12c9-557f-f8e2-75705b9b52ec
export ANSIBLE_HASHICORP_VAULT_SECRET_ID=5a4d079b-e6aa-ad54-8b0c-09dd35b740ee

Per default the authentication will be done against ${YOUR_HOST}/v1/auth/approle/login You can change this to fit your layout by setting the following var to your value:

export ANSIBLE_HASHICORP_VAULT_ROLE_PATH=v1/auth/my/role/path/approle/login


ansible-vault works as any other lookup plugin.

- debug: msg="{{ lookup('vault', 'secret/foo', 'value') }}"
# templates/example.j2

# Generic secrets
{{ lookup('vault', 'secret/hello').value }} # world
# Generic secrets with parameters
{{ lookup('vault', 'pki/issue/example-dot-com format=pem_bundle').certificate }}
# Specify field inside lookup
{{ lookup('vault', 'secret/hello', 'value') }} # world
# This syntax for Ansible 1.9.x
{{ lookup('vault', ['secret/hello', 'value']) }} # world

# Dynamic secrets
{% set aws = lookup('vault', 'aws/creds/deploy') %}
access_key = {{ aws.access_key }} # AKSCAIZSFSYHFGA
secret_key = {{ aws.secret_key }} # 4XSLxDUS+hyXgoIHEhCKExHDGAJDHFiUA/adi

If the desired value is stored within Vault with the key 'value' (like 'value=world' shown above), within a task, the lookup can be performed with:

- secret/hello

And then referenced with "{{ item.value }}"

Alternatively, the lookup can be performed with:

- secret/hello
- value

And then referenced with "{{ item }}"

Both of these forms work with both Ansible 1.9.x and 2.x. They only work within tasks, though. You can not use the with_vault: syntax within a variable definition file.


If you use the version of Ansible shipped with Ubuntu 16.04 ( and get the error Error was sequence item 0: expected string, dict found then you should install Ansible from the PPA instead. Related to this Ansible PR

What's the difference between ansible-vault and hashi_vault

  • (Ansible Vault) No external dependencies; (hashi_vault) requires hvac
  • (Ansible Vault) Uses the same environment variables as vault itself
  • (Ansible Vault) Quicker update cycle
  • (Ansible Vault) Supports dynamic secrets
  • (Ansible Vault) Supports custom fields

Download Details:

Author: jhaals
Source Code:

License: BSD-3-Clause license