DEV Community

Cover image for Managing Secrets in Ansible with Vault
Athreya aka Maneshwar
Athreya aka Maneshwar

Posted on

Managing Secrets in Ansible with Vault

Hello, I'm Maneshwar. I’m building LiveReview, a private AI code review tool that runs on your LLM key (OpenAI, Gemini, etc.) with highly competitive pricing -- built for small teams. Do check it out and give it a try!

When working with infrastructure automation using Ansible, you often need to handle sensitive information like database passwords, API keys, or SSH keys.

Storing these in plain text is risky and not recommended.

That’s where Ansible Vault comes in — it lets you encrypt your secrets safely.

What is Ansible Vault?

Ansible Vault is a feature that allows you to encrypt and decrypt files, variables, or strings. This ensures your secrets are protected even if your code is stored in version control like Git.

1. Creating a Vault File

To store secrets in a separate file:

ansible-vault create secret.yml
Enter fullscreen mode Exit fullscreen mode

You’ll be prompted to set a password. After that, an editor opens where you can add your secrets in YAML format:

db_password: supersecret123
api_key: abcdef123456
Enter fullscreen mode Exit fullscreen mode

2. Editing an Existing Vault

To update or add new secrets:

ansible-vault edit secret.yml
Enter fullscreen mode Exit fullscreen mode

You’ll need the vault password to open the file.

3. Using Vault Variables in a Playbook

You can include vault files like any other variable file:

- hosts: all
  vars_files:
    - secret.yml
  tasks:
    - name: Show DB password
      debug:
        msg: "The DB password is {{ db_password }}"
Enter fullscreen mode Exit fullscreen mode

4. Running Playbooks with Vault

When running playbooks that use vault files, you must provide the vault password:

ansible-playbook playbook.yml --ask-vault-pass
Enter fullscreen mode Exit fullscreen mode

Or you can use a password file:

ansible-playbook playbook.yml --vault-password-file /path/to/password_file
Enter fullscreen mode Exit fullscreen mode

5. Encrypting Individual Variables

Sometimes you want to encrypt a single variable inline:

ansible-vault encrypt_string 'supersecret123' --name 'db_password'
Enter fullscreen mode Exit fullscreen mode

This outputs an encrypted block that you can paste directly into your playbook or variable file:

db_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          61346362613364333462346262346163...
Enter fullscreen mode Exit fullscreen mode

Best Practices

  • Keep your vault password secure and separate from code.
  • Use separate vault files for different environments (dev, staging, production).
  • Avoid committing unencrypted secrets to version control.
  • For automation, use a vault password file with restricted access.

Conclusion

Ansible Vault is a simple but powerful way to manage sensitive information in your automation workflows.

By encrypting secrets, you can safely store them alongside your playbooks without compromising security.

LiveReview helps you get great feedback on your PR/MR in a few minutes.

Saves hours on every PR by giving fast, automated first-pass reviews.

If you're tired of waiting for your peer to review your code or are not confident that they'll provide valid feedback, here's LiveReview for you.

Top comments (0)