Skip to main content

Securing a Playbook with Ansible Vault

Hands-On Lab

 

Photo of Rob Marti

Rob Marti

Linux Training Architect I in Content

Length

00:45:00

Difficulty

Beginner

Information is power, and keeping power in the proper hands is important for every system administrator. One method of doing it is by encrypting files that have sensitive information, like passwords, in them. This is especially important when doing something like using git to keep playbooks managed. This lab will help practice doing this and working with Ansible.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Securing a Playbook with Ansible Vault

Introduction

Information is power, and keeping power in the proper hands is important for every system administrator. One method of doing it is by encrypting files that have sensitive information, like passwords, in them. This is especially important when doing something like using git to keep playbooks managed. This lab will help practice doing this and working with Ansible.

The Scenario

Our database administrators have started using a third party tool to run some analysis on their database. This tool needs access to the password used by the dba account. We've been given the database password to enable this tool. Our task is to put that password in /home/dba/.pgpass but make sure that no one (without the vault password) can read the password on our local filesystem. The password is LinuxAcad. The file must be owned by the dba user and have a mode of 0600.

Logging In

Use the credentials provided on the hands-on lab page to get into Server1 to begin with. Since we need root privileges, let's just run sudo -i right off and become root.

Write the Playbook to be Encrypted

Our playbook, dba-pass.yml, should look similar to this once we're done editing it:

---
- name: Deploy DBA password file
  hosts: dbservers
  become: yes

  tasks:
   - name: Create and pgapass file
     lineinfile:
      line: 'LinuxAcad'
      create: yes
      owner: dba
      group: dba
      mode: 0600
      path: /home/dba/.pgpass

Encrypt the Playbook

To encrypt the playbook, we'l run this:

ansible-vault encrypt dba-pass.yml

Give a password, then confirm that password, and do not forget that password.

Now if we try to read that file (cat dba-pass.yml) we'll get a bunch of useless numbers across the screen.

Run the Encrypted Playbook

To run this encrypted playbook, we'll use this command:

ansible-playbook --ask-vault-pass dba-pass.yml

Once we supply the vault password, Ansible will run the playbook just like it would any other.

Conclusion

We've use ansible-vault to encrypt a playbook that had sensitive information in it. Now we can store things like Git repository passwords in our playbooks, and not have to worry about people seeing them. Congratulations!.