I'm trying to use encryption for my sensitive information like e.g passwords etc.
The question is: How to use ansible-vault to encrypt variables and use them in playbooks?
I know how to encrypt a string (shown below), but I don't know how I can successfully use it in a playbook.
The reason is: I need something to "decrypt" the variable so ansible can understand. Where are these defined?
I have tried:
ansible-vault encrypt_string -- 'db_password'
Where I'm prompted with:
New Vault password:
Confirm New Vault password:
Result:
!vault |
$ANSIBLE_VAULT;1.1;AES256
63653238643164303561353238643934343861356332323038386236633963326232393830363961
6366336230666134383864306136623030643339353166620a633030646334393563633662653736
35646530383762363262333038376339396432373030363536373232393032316364636565663833
6430316563653265660a366537373637346338383165653531646462313762663035343734316134
3736
Encryption successful
Defining vault variable vault_db_password
vault_db_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
34353733663863636564363261373962616630333032326363633661326363643533326239363165
3531393735333535383063373661336333356164653863630a356139333131323935306265623735
35633665633739656337336562306638646339656235313063643363636433653765633830663330
6136653534383461370a363839313065343731613035383731363337373866613534326261333531
3362
Vault variable being used:
MYSQL_ROOT_PASSWORD: "{{ vault_db_password }}"
Result:
FAILED! => {"msg": "Attempting to decrypt but no vault secrets found"}
you need to create a --vault-password-file file first, then use that to the ansible-vault command and finally include it in the ansible-playbook command.
to create the password file and then a ansible vault, check here:
https://stackoverflow.com/a/49744154/5736671
to run the playbook with the password key file, you can run:
ansible-playbook -i hosts <hosts file> --vault-password-file=<vault password file>