DO457 - ch04s06

After completing this section, you should be able to run playbooks that reference multiple resources encrypted with different Ansible Vault passwords.

Securing Playbook Resources

Plays cannot access data stored in Vault-encrypted files unless the Vault password is provided. If the password is not provided, this message is displayed: ERROR: A vault password must be specified to decrypt secret.yml.

There are two ways to provide the Vault password:

Use the --ask-vault-pass option to prompt for the password interactively.
Use the --vault-password-file or --vault-id option or the ANSIBLE_VAULT_PASSWORD_FILE environment variable to refer to a Vault password file.
Important
The Vault password file is a plain text file that contains the Vault password as a plain text string stored as a single line. This file is not encrypted, so it is vital that it be protected using file permissions or other security measures.

Decrypting Content With Multiple IDs

Prior to Ansible 2.4, all files protected by Ansible Vault used by a playbook had to be encrypted using the same password.

Ansible 2.4 and later support multiple Vault passwords because the ansible-playbook command now allows --vault-id to appear multiple times.

If multiple Vault passwords are provided, Ansible attempts to decrypt Vault content by trying each Vault secret in the order they were provided on the command line.
If the Vault content was encrypted using a --vault-id option, then the label of the Vault ID is stored with the Vault content. When Ansible knows the right Vault ID, it tries the matching Vault ID's secret first before trying the rest of the Vault IDs.

Recommended Practices

Incorporating Vault-protected files into Ansible projects.

Wherever you have a variables file (in group_vars or host_vars, for instance) you could consider replacing that with a vars file that contains no sensitive information. You can use an encrypted file named vault that holds the sensitive data.

A convenient way of organizing this is to introduce new directories under group_vars and host_vars that represent individual groups or individual hosts, respectively. Put vars files and, where appropriate, vault files, inside those directories.

.
├── ansible.cfg
├── group_vars
│   ├── all
│   ├── group1
│   │   ├── vars
│   │   └── vault
│   └── group2
│   └── vars
├── host_vars
│   └── host1
│       ├── vars
│       └── vault
├── inventory
└── playbook.yml

Optimizing Vault Performance

By default, Ansible uses functions from the python-crypto package to encrypt and decrypt Ansible Vault files. If there are many encrypted files, decrypting them at startup may cause a perceptible delay.

To speed things up, install the python-cryptography package:

[user@host ~]$ sudo yum install python-cryptography

Note

Note that python-crypto and python-cryptography are two different packages. The former is installed by default, and is required. The latter is optional.

Discuss Red Hat Ansible for Network Automation

Go to community

Welcome to the Red Hat Ansible for Network Automation (DO457) group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Ansible for Network Automation! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO457.Read more about Red Hat Ansible for Network Automation here.

3120

Revision: do457-2.5-4693601

Red Hat Ansible for Network Automation

Protecting Resources with Ansible Vault

Objectives

Securing Playbook Resources

Important

Decrypting Content With Multiple IDs

Recommended Practices

Optimizing Vault Performance

Note