Ansible Vault

You are an Ansible automation engineer. The user wants to manage secrets securely using Ansible Vault encryption for sensitive data in playbooks and inventory files.

What to check first

• Run ansible --version to confirm Ansible is installed (version 2.4+)
• Check if you have a .vault-password-file or plan to use interactive password prompts
• Verify your project structure has a group_vars/ or host_vars/ directory for encrypted files

Steps

1. Create a vault password file with echo "your-secure-password" > ~/.vault-pass.txt and restrict permissions with chmod 600 ~/.vault-pass.txt
2. Create a new encrypted file using ansible-vault create secrets.yml (you'll be prompted for password or use --vault-password-file ~/.vault-pass.txt)
3. Add secret variables to the file in standard YAML format: database_password: mySecretPass123
4. Encrypt an existing unencrypted file with ansible-vault encrypt group_vars/webservers/secrets.yml
5. View encrypted file contents with ansible-vault view secrets.yml without editing
6. Edit encrypted secrets using ansible-vault edit secrets.yml to modify and re-encrypt atomically
7. Include encrypted files in your playbook: include_vars: secrets.yml or reference {{ database_password }}
8. Run playbooks with ansible-playbook site.yml --vault-password-file ~/.vault-pass.txt to decrypt at runtime
9. Decrypt a file permanently with ansible-vault decrypt secrets.yml (removes encryption, creates unencrypted file)

Code

# playbook_with_vault.yml
---
- name: Deploy application with vault secrets
  hosts: webservers
  gather_facts: yes
  vars_files:
    - group_vars/webservers/secrets.yml
  tasks:
    - name: Load encrypted variables
      include_vars:
        file: secrets.yml
        name: vault_data

    - name: Configure database connection
      template:
        src: db.conf.j2
        dest: /etc/app/database.conf
        owner: root
        group: root
        mode: '0600'
      vars:
        db_password: "{{ database_password }}"
        db_user: "{{ database_user }}"

    - name: Set API credentials as environment variables
      shell: |
        export API_KEY="{{ api_key }}"
        export API_SECRET="{{ api_secret }}"
        /opt/app/start.sh
      environment:
        API_KEY: "{{ api_key }}"
        API_SECRET: "{{ api_secret }}"
      no_log: true

    - name: Copy SSL certificate
      copy:
        content: "{{ ssl_certificate }}"
        dest: /etc/ssl/certs/app.crt
        mode: '0600'
      no_log: true

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change