Ansible vault
From wikinotes
You can store your passwords both encrypted and separately from the rest of your information so that it is safe to share with others, or to use in version control.
These encrypted files can be used by the playbook either by:
- include_vars/vars_files keywords
- variables passed to ansible on command-line with ``ansible -e @file.yml``
- role variables/defaults files
## Ansible uses PyCrypto module for encryption, which is slow
## speed things up with cryptography module
sudo pip2 install cryptography
Creating New Encrypted File
ansible-vault create my-encrypted-file.yml ## create encrypted file
ansible-vault edit my-encrypted-file.yml ## edit encrypted file
ansible-vault rekey my-encrypted-file.yml ## create new password on file
ansible-vault encrypt my-regular-file.yml ## encrypt a non-encrypted file
ansible-vault decrypt my-encrypted-file.yml ## decrypt a encrypted file
Using Encrypted Files
# if playbook includes encrypted files,
# run your site.yml with the following flag
ansible-playbook site.yml \
--ask-vault-pass
# read password from a file (chmod 400)
ansible-playbook site.yml \
--vault-password-file \
~/mypass.txt