Introduction to Ansible Transcripts
Chapter: Data
Lecture: Ansible Vault

Login or purchase this course to watch this video and the rest of the course contents.
0:00 In our current iteration of our first playbook we have a single file that stores all our variables, all.
0:07 Now nothing in this file is particularly sensitive but if we wanted to add a password for a deploy user
0:17 we'd want to make sure that this file is encrypted and we can use ansible-vault to do that. So go ahead and add deploy user password
0:24 into helloworld123. Now with this file, if we take a look at the contents right now we can see it's all in plain text.
0:31 But if we use ansible-vault encrypt we can then give it a password. If we try to take a look at the file now it's completely encrypted
0:43 and saved to add to version control. So that's the first command that you're going to want to use ansible-vault encrypt.
0:47 You can also use ansible-vault create if you're working on a new file but I typically work with files in plain text
0:54 while I'm doing my development and then I encrypt them when I'm getting ready to add everything in my initial commit in version control.
1:02 So the file is now encrypted. What do we do with this? Let's say we want to make change. We want to change our password for that deploy user.
1:10 We again use ansible-vault and we use the edit command. We'd give it the password and now we can edit our file with our default editor.
1:17 Now for me, I use Vim, so that works for me when I'm using the edit command. If you want to use a different editor on your system
1:23 just specify editor equals, for example the Nano Editor or Sublime whatever your editor of choice is. Then when you open up the file
1:35 it would use a different editor. So now let's change our password helloworld1234 we'll write that file, and we'll exit this editor.
1:46 The file is encrypted as we would like. But we can see when we reopen the file it's been saved with that additional four that changes the password
1:57 for the deploy user. So now that our data is safe, how do we use it? There's a couple different ways. The most common one is going to be
2:03 is when you're running your Ansible playbook command and we're going to pass in argument ask vault pass. It'll ask us for a vault password
2:21 decrypts our variables, and uses them in the playbook. So now just as we had before when we were running our playbook
2:27 we can use that encrypted data as if it was plain text. The one other way that we can use our data we can just go ahead and decrypt it.
2:38 It'll ask us for our password and now if we take a look at the file it's back to plain text so it is reversible.
2:44 If you want to play around with ansible-vault encrypting your files and then you find out later oh, I actually do want this to be in plain text
2:50 or you split out the sensitive ones from the plain text ones you can just use ansible-vault decrypt in order to handle that.
2:56 So that's how you can keep your data safe and add it to source control and make sure that it's not compromised using the ansible-vault command.

Talk Python's Mastodon Michael Kennedy's Mastodon