When we are dealing with sensitive material that we need to reference in our Ansible playbooks, such as passwords, we shouldn't save this data in plain text. Ansible Vault provides a method to encrypt this data and therefore be safely decrypted and accessed while the playbook is running. In this recipe, we will outline how to use Ansible Vault in order to secure sensitive information in Ansible.

1. Create a new file called decrypt_passwd as shown:

$ echo 'strong_password' > decrypt_passwd

2. Using ansible-vault creates a new file called secrets, as shown here:

$ ansible-vault create --vault-id=decrypt_passwd secrets

3. Add the following variables to this new secrets file:

ospf_password: ospf_P@ssw0rD
bgp_password: BGP_p@ssw0rd

4. Create a new playbook called ansible_vault.yml, as shown here:

---
  - name: Using Ansible vault
    hosts: all
    gather_facts: no
    vars_files:
      - secrets
    tasks:
      - name: Output OSPF passowrd
        debug:
          msg: "Router {{ hostname }} ospf Password {{ ospf_password }}"
        when: inventory_hostname == 'csr1'

      - name: Output BGP passowrd
        debug:
          msg: "Router {{ hostname }} BGP Password {{ bgp_password }}"
        when: inventory_hostname == 'mx1'

5. Run the playbook as shown here:

$ ansible-playbook --vault-id=decrypt_passwd ansible_vault.yml -i hosts

We use the ansible-vault command to create a new file that is encrypted using a key specified by -- vault-id. We place this key/password in another file (which is called decrypt_passwd in our example) and we pass this file as an argument to vault-id. Inside this file, we can place as many variables as we need. Finally, we include this file as a variable file in the playbook using vars_files. The following is the content of the secret file in case we try to read it without decryption:

$ cat secrets
$ANSIBLE_VAULT;1.1;AES256
61383264326363373336383839643834386661343630393965656135666336383763343938313963
3538376230613534323833356237663532666363626462640a663839396230646634353839626461
31336461386361616261336534663137326265363261626536663564623764663861623735633865
3033356536393631320a643561623635363830653236633833383531366166326566623139633838
32633335616663623761313630613134636635663865363563366564313365376431333461623232
34633838333836363865313238363966303466373065356561353638363731616135386164373263
666530653334643133383239633237653034

In order for Ansible to decrypt this file, we must supply the decryption password (stored in a decrypt_passwd file in this example) via the --vault-id option. When we run ansible-playbook, we must supply this decryption password, otherwise the ansible-playbook fails, as shown here:

### Running the Ansible playbook without --vault-id 
$ansible-playbook ansible_vault.yml -i hosts
ERROR! Attempting to decrypt but no vault secrets found

In case we don't want to specify the encryption/decryption password in the text file, we can use --ask-vault-pass with the ansible-playbook command in order to input the password while running the playbook, as shown here:

### Running the Ansible playbook with --ask-vault-pass
$ansible-playbook ansible_vault.yml -i hosts --ask-vault-pass
Vault password: