Ansible Vault
Ansible Vault is a feature of ansible that allows you to keep sensitive data such as passwords or keys in encrypted files, rather than as plaintext in playbooks or roles. These vault files can then be distributed or placed in source control.
To better understanding I will show a practical - For this I have a Redhat 8 VM (Redhat8_GUI IP - 192.168.43.247).
Every OS have one internal network card which is known as loopback (lo) . This network card have 127.0.0.1 IP . It also have name is called "localhost". It is not physical card.
If we want to do something on localhost with ansible then We don't need to create because Ansible internally creates inventory for localhost.
To check this ping with ansible . If it is pingable then Inventory exists for localhost system.
To get the list of Ansible Modules then command is "ansible-doc -l"
If you want to documentation of module from command line then command is "ansible-doc ---moduleName----" like "ansible-doc service"
Any keyword which starts with equals to is mandatory -
In this practical I will show "Send mail with ansible" . To check with module is available for send mail
To know more about mail module visit this link -
To communicate with google mail server we need to know hostname or IP address of google mail server . It work on 465 port number.
For sending mail we need mail address and password for our gmail account. I have a gmail account ([email protected]) to send mail.
I will create two file First ansible playbook and second variable file -
Ansible code-
Variable file - I create this file because I want a centralise variable file . If we want any chang in file then we don't need to go in playbook because playbook code may be bigger and finding that variable may be typical .
Now Run this playbook -
If your username and password is right then give this error then reason is Google mail server is not allowing you to send mail because of security so now you have to enable less secure apps option of your google account in my case "[email protected]
Now if you again run the playbook then it will successfully send mail -
Now I am checking on "[email protected]" to confirm this.
Now finally we have two files to do this practical -(var.yml and mail.yml)
Now issue is when we work with team then generally we send all files with is related to each other we know my var.yml is sensitive . It has my gmail account password . Now If by chance anyone has this file then we want anybody can't read this var.yml file.
For this we have to lock this var.yml file. So we have to create a key for locking file. Run this command
If you open this file then it will show this -It is not plain text , it is cypher text.
To view this file run this "ansible-vault view var.yml"
To edit run this "ansible-vault edit var.yml"
Now if you run playbook then it will give you error because it is not getting variables from from var.yml file. For this password is necessary .
Now We want before run ansible ask for that password . For this "--ask-vault-pass" is available. So command is ansible-playbook --ask-vault-pass mail.yml -
Now it working
We can create file with locking for this command is "ansible-vault create myvar.yml". It will ask for password then it will open file -
To change key "ansible-vault rekey myvar.yml"
Now I will show this practical with two vault file -
var.yml
myvar.yml
Playbook -
Now run this command "ansible-playbook --ask-vault-pass mail.yml" -
If you password is same for both files then it will give you no error but your password is different then it will give you error because we are only passing password for one file.
To solve this we have to assign a id for each file at a creation time . Delete these two file and again create -
You will see in file it will add this id in file
Now again this error
When we add id then we use --vault-id keyword like this
--vault-id is add in ansible >2.4 versions.
Thank you