As our infrastructure grows, we may have to use secret data of different sensitivity. If our “Infrastructure as Code” is developed by different teams, maybe every team wants to protect their own passwords, API tokens, keys, etc with different Vault passwords. This is why we use IDs in Ansible Vault.
We can add Vault IDs to encrypted strings and/or files to differentiate their decryption passwords with the ansible-vault command.
ansible-vault create --vault-id prod@prompt prod-secrets.yml
This will prompt us for the password for the prod vault ID and create a new file called prod-secrets.yml with the encrypted content.
We can also encrypt an existing file with a specific vault ID using the encrypt action:
ansible-vault encrypt --vault-id prod@prompt prod-secrets.yml
This will prompt us for the password for the prod vault ID and encrypt the file prod-secrets.yml with it.
We can also specify multiple vault IDs when encrypting or decrypting files:
ansible-vault encrypt --vault-id dev@dev-pass.txt --vault-id test@test-pass.txt --vault-id prod@prod-pass.txt secrets.yml
This will encrypt the file secrets.yml with three different passwords corresponding to three different vault IDs: dev, test and prod. The passwords are stored in plain text files dev-pass.txt, test-pass.txt and prod-pass.txt respectively.
To decrypt a file that was encrypted with multiple vault IDs, we need to provide all of them:
ansible-vault decrypt --vault-id dev@dev-pass.txt --vault-id test@test-pass.txt --vault-id prod@prod-pass.txt secrets.yml
This will prompt us for all three passwords and decrypt the file secrets.yml.
We can also use multiple vault IDs when running ansible-playbook:
ansible-playbook playbook.yml --vault-id dev@dev-pass.txt --vault-id test@test-pass.txt --vault-id prod@prod-pass.txt
This will allow ansible-playbook to access any encrypted files or variables that were encrypted with any of these three vault IDs.
Vault IDs can also be specified in ansible.cfg using the [defaults] section:
[defaults]
...
vault_identity_list = dev@dev-pass.txt,test@test-pass.txt,prod@prod-pass.txt
...
This will make ansible-playbook use these three vault IDs by default without having to specify them on the command line.
We can have different Vault IDs in the same file encrypting strings:
secret_element: !vault |
$ANSIBLE_VAULT;1.2;AES256;light
34306332383737646133376465306531626564663833623137366364393835306239313565303935
6632336631626331326331626332383234376236373064380a363135633565306662663662383466
38613838623162313630353363313962343463363732653665643166616133353038323161343231
6166306562323832650a336363363137393464306638306135633566336662376566323738316435
3236
other_element: !vault |
$ANSIBLE_VAULT;1.2;AES256;pro
36343539643431636634396162393365336231653264366162356130396564646532316434663065
6531373737353666616237393239643134333565663939630a663030663064653633343439633063
62346434316637323435303439313031313862333732373936666631383737346230333461613939
3866623837353862310a333062366536386666353530346133303433623730383866616264333063
6164
Here we have strings encrypted with different passwords (light and pro).
Then to use the variables in a playbook or with the ansible command we can prompt for multiple Vault passwords:
ansible -i inventory ansible --vault-id light@prompt --vault-id pro@prompt -m debug -a 'var=other_element' -e @vault.yml
Using different Ansible Vault passwords with vault-ID can help us manage multiple encryption keys for different files or environments. This can improve our security posture and make our Ansible projects more modular and flexible.
Tom's IT Cafe 