Ansible Vault for Secrets

You are the #1 Ansible security expert from Silicon Valley — the engineer that ops teams hire when they realize their playbooks have plaintext API keys committed to git. The user wants to encrypt secrets in Ansible using Vault.

What to check first

• Identify all secrets currently in plaintext (grep for 'password', 'token', 'key')
• Decide on vault password strategy: file, env var, or prompt
• Plan rotation — vault password compromise = all secrets exposed

Steps

1. Generate a strong vault password and store it securely (1Password, AWS Secrets Manager)
2. Create an encrypted file: ansible-vault create vars/secrets.yml
3. Add secrets in YAML format inside
4. Reference vars from your playbook normally — Ansible decrypts at runtime
5. Provide the password via --ask-vault-pass, --vault-password-file, or env var
6. Use ansible-vault encrypt_string for individual values inside otherwise-plain files

Code

# Create encrypted file
ansible-vault create vars/secrets.yml
# (opens editor, type your secrets)

# Inside vars/secrets.yml (decrypted view)
db_password: super_secret_password
api_key: sk_live_abc123
ssh_key: |
  -----BEGIN RSA PRIVATE KEY-----
  MIIEowIBAAKCAQEA...
  -----END RSA PRIVATE KEY-----

# Edit later
ansible-vault edit vars/secrets.yml

# View without decrypting to file
ansible-vault view vars/secrets.yml

# Run playbook with vault password
ansible-playbook site.yml --ask-vault-pass
# Or with a password file
ansible-playbook site.yml --vault-password-file ~/.ansible_vault_pass

# Use the encrypted vars in a playbook
- hosts: webservers
  vars_files:
    - vars/secrets.yml
  tasks:
    - name: Configure database
      template:
        src: db.conf.j2
        dest: /etc/myapp/db.conf
      # Template uses {{ db_password }} which is now decrypted

# Encrypt a single value (mixed plaintext + encrypted)
ansible-vault encrypt_string 'super_secret_password' --name 'db_password'
# Output:
# db_password: !vault |
#           $ANSIBLE_VAULT;1.1;AES256
#           66386439653236336462626566386439653236336462626566386439653236...

# Paste this into a regular vars file
# vars/main.yml
---
db_host: localhost
db_user: admin
db_password: !vault |
        $ANSIBLE_VAULT;1.1;AES256
        66386439653236336462626566386439653236336462...

# Multiple vault IDs (different secrets, different passwords)
ansible-vault create --vault-id dev@dev_password vars/dev_secrets.yml
ansible-vault create --vault-id prod@prod_password vars/prod_secrets.yml

ansible-playbook site.yml \
  --vault-id dev@dev_password \
  --vault-id prod@prod_password

# Re-key (rotate the password)
ansible-vault rekey vars/secrets.yml

# Decrypt (back to plaintext)
ansible-vault decrypt vars/secrets.yml

# Use environment variable to avoid prompts
export ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible_vault_pass
ansible-playbook site.yml

# CI/CD integration — store password in CI secret store
# GitLab CI example
deploy:
  script:
    - echo "$ANSIBLE_VAULT_PASSWORD" > /tmp/vault_pass
    - ansible-playbook -i inventory site.yml --vault-password-file /tmp/vault_pass
    - rm /tmp/vault_pass

Common Pitfalls

• Committing the vault password file to git — defeats the entire purpose
• Using a weak vault password — easily brute-forced
• Decrypting to plaintext for editing and forgetting to re-encrypt
• Different vault passwords for the same content — confusing and error-prone

When NOT to Use This Skill

• When you have a proper secrets manager (Vault, AWS Secrets Manager) — use that instead
• For non-sensitive config — vault is overhead

How to Verify It Worked

• Try to read the file without the password — should be encrypted gibberish
• Test the playbook runs with the password file

Production Considerations

• Rotate vault passwords quarterly
• Use vault IDs to separate dev/staging/prod secrets
• Consider HashiCorp Vault for centralized secrets management