Securing a Playbook with Ansible Vault

45 minutes
  • 3 Learning Objectives

About this Hands-on Lab

Information is power, and keeping power in the proper hands is important for every system administrator. One method of doing it is by encrypting files that have sensitive information, like passwords, in them. This is especially important when doing something like using `git` to keep playbooks managed. This lab will help practice doing this and working with Ansible.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Write the Playbook to be Encrypted

Note: Please wait an extra minute after the lab starts to make sure all the resources for the lab are ready.

Our playbook, dba-pass.yml, should look similar to this once we’re done editing it:

---
- name: Deploy DBA password file
  hosts: dbservers
  become: yes

  tasks:
   - name: Create and pgapass file
     lineinfile:
      line: 'LinuxAcad'
      create: yes
      owner: dba
      group: dba
      mode: 0600
      path: /home/dba/.pgpass
Encrypt the Playbook

To encrypt the playbook, we’l run this:

ansible-vault encrypt dba-pass.yml

Give a password, then confirm that password, and do not forget that password.

Now if we try to read that file (cat dba-pass.yml) we’ll get a bunch of useless numbers across the screen.

Run the Encrypted Playbook

To run this encrypted playbook, we’ll use this command:

ansible-playbook --ask-vault-pass dba-pass.yml

Once we supply the vault password, Ansible will run the playbook just like it would any other.

Additional Resources

Notice: Ansible is installed as the root user, so please work on all tasks after elevating to the root user.

Our database administrators have started using a third party tool to run some analysis on their database. This tool needs access to the password used by the dba account. We've been given the database password to enable this tool. Our task is to put that password in /home/dba/.pgpass but make sure that no one (without the vault password) can read the password on our local filesystem. The password is LinuxAcad. The file must be owned by the dba user and have a mode of 0600.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?