Vault
“ansible-vault encrypt_string”
- asks for the password that will be supplied when invoking ansible
- the string we want to encrypt that will be decrypted using the password
- then we get in the output the hash that we can feed to the playbooks
root@ansible:~/ansible# ansible-vault encrypt_string
New Vault password:
Confirm New Vault password:
Reading plaintext input from stdin. (ctrl-d to end input)
toto!vault |
$ANSIBLE_VAULT;1.1;AES256
38643731663238336363393361336337313835623234656431643433613434333631316662396533
3866626439376665646336626237623538386361373834330a373336333466366630666132666239
38383538366366356164663161393034623835336264353333633433336230613063383336636564
3733643939386563620a366263633834333566643438653462373166316438316332316366313534
3534
Encryption successful
To use it:
ansible-playbook --ask-vault-pass -i production.yml myplay.yml --limit serverfqdn_or_group
ansible-playbook --vault-password-file /path/to/my/vault-password-file site.yml
Documentation: https://docs.ansible.com/ansible/latest/user_guide/vault.html