How to Create an Ansible Vault for Your Secrets
If you’re using Ansible to automate your workflows, you’ve probably encountered the problem of managing sensitive data—like passwords, API keys, or SSH credentials. You don’t want to leave these lying around in plaintext, especially if your playbooks are in version control. That’s where Ansible Vault comes in, a built-in tool to encrypt your secrets while keeping them usable in your automation. In this post, I’ll walk you through creating an Ansible Vault file at ~/ansible/secrets/secrets.yml, step by step.
Let’s dive in!
What You’ll Need
Ansible installed on your system (run ansible --version to confirm).
A terminal and basic comfort with command-line tools.
A secure place to store your vault password (more on that later).
Step 1: Set Up the Directory
First, we need a home for our vault file. I’m assuming you want it at ~/ansible/secrets/secrets.yml. If that directory doesn’t exist yet, let’s create it:
mkdir -p ~/ansible/secrets
The -p flag ensures the command won’t complain if the parent directory (~/ansible) is missing—it’ll create that too. Now we’ve got our spot ready.
Step 2: Create the Vault File
Time to make the vault! Run this command:
ansible-vault create ~/ansible/secrets/secrets.yml
Ansible Vault will spring into action. It’ll ask you to set a password:
New Vault password: Confirm New Vault password:
Pick something secure, type it twice, and don’t lose it—you’ll need this to unlock the vault later. Once you hit enter, Ansible opens your default text editor (probably vim or nano).
Step 3: Add Your Secrets
In the editor, you’re now writing to secrets.yml in YAML format. Add whatever sensitive data you want to protect. Here’s an example:
db_password: mysecretpassword123 api_key: abcdefghijklmnopqrstuvwxyz
When you’re done:
In vim: Hit Esc, type :wq, and press Enter.
In nano: Press Ctrl + X, then Y, then Enter.
Ansible encrypts the file on save. Want proof? Check it out:
cat ~/ansible/secrets/secrets.yml
You’ll see something like:
$ANSIBLE_VAULT;1.1;AES256 61393662383565373364306438363261346662346165626562346564383266383463313562366566...
That’s your data, locked up tight with AES-256 encryption.
Step 4: Use the Vault in a Playbook
Now that your secrets are safe, let’s use them. Here’s a simple playbook (playbook.yml) to test it:
- hosts: localhost vars_files: - ~/ansible/secrets/secrets.yml tasks: - name: Print the database password debug: msg: "The DB password is {{ db_password }}"
Run it with:
ansible-playbook playbook.yml --ask-vault-pass
Ansible will prompt you for the vault password. Enter it, and you’ll see your secret in action. If typing the password every time feels tedious, save it to a file (e.g., ~/ansible/vault-pass.txt):
echo "your-vault-password" > ~/ansible/vault-pass.txt chmod 600 ~/ansible/vault-pass.txt
Then run:
ansible-playbook playbook.yml --vault-password-file=~/ansible/vault-pass.txt
Step 5: Edit Passwords in secret.yml
If you want to change the contents of secrets.yml, you can do so via
ansible-vault edit ~/ansible/secrets/secrets.yml
Pro Tips
Password Security: Don’t commit your vault password to Git. Use a password manager or a secure file with tight permissions (chmod 600).
Permissions: If you hit access issues, double-check file ownership or run commands as the right user.
Multiple Vaults: For bigger projects, look into vault IDs to manage secrets by team or environment.