Skip to content

Working with Ansible Vault

ansible-vault is a way to manage encrypted data in a way that Ansible can natively understand. Because it's encrypted, it's okay to store it in a Git repo.

How AFD2 uses ansible-vault

The Splunk repo should have a secret stored for the vault decryption key. This way, the key is not in source control and is only exposed to runners and users that we permit. This is passed as an environment variable to the runner, which echoes it into a vault.pass file in the Docker container it runs in. Since the container is discarded when finished, this is a reasonable approach.

The filename, vault.pass is special, but this is set in the ansible.cfg file.

How you can use ansible-vault

First, ensure that your copy of the Splunk repo is in a secure location.

If you have just cloned your Splunk repo, please run git submodule update --init --recursive to ensure the AFD2 submodule is present in all its glory.

Next, inside your Splunk repo , create a file called vault.pass. Its only contents should be the Vault decryption key. The vault.pass file is in .gitignore so you can't accidentally commit it.

Editing encrypted files

Run ansible-vault edit filename.yml from the AFD2 submodule directory. Assuming you've configured the vault.pass file above appropriately. it will automatically open the file in $EDITOR (probably either nano or vim). If you write and save it, it'll automatically reencrypt the file.

Still being prompted for the password? * Make sure your working directory (i.e. pwd) is the base of the Splunk repo. * Ensure you have an ansible.cfg file. If you don't, run ln -s afd2/ansible.cfg .

Using on Linux

Install Ansible via your package manager or pip. Further directions available here. Follow the above directions.

Using on Windows

This tool has not been thoroughly tested by us. If you have further directions or feedback, please contribute to this document!

You can use the ansvaultcmd third-party tool. It's MIT licensed and the code is freely available on GitHub. You can also install it via Chocolatey by choco install ansiblevaultcmd in an elevated terminal.

You should be able to use it in PowerShell somewhat like this:

AnsVaultCmd --infile secrets/prod.vault.yaml --password $(Get-Content .\vault.pass) --outfile secrets/prod.yaml
# edit secrets/prod.yaml
AnsVaultCmd --infile secrets/prod.yaml --password $(Get-Content .\vault.pass) --outfile secrets/prod.vault.yaml
Remove-Item secrets/prod.yaml

Last update: 2020-05-22