Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Vault IDs in Red Hat Ansible and Red Hat Ansible Tower

January 30, 2020
Sreejith Anujan
Related topics:
CI/CDDevOpsSecurity
Related products:
Red Hat Enterprise Linux

Share:

    This article demonstrates the use of multiple vault passwords through vault IDs. You will learn how to use vault IDs to encrypt a file and a string. Once they're encrypted, the vault ID can be referenced inside a playbook and used within Red Hat Ansible and Red Hat Ansible Tower.

    Starting with Ansible 2.4 and above, vault IDs are supported

    Vault IDs help you encrypt different files with different passwords to be referenced inside a playbook. Before Ansible 2.4, only one vault password could be used in each Ansible playbook. In effect, every file needed to be encrypted using the same vault password.

    To begin with, vault IDs need to be pre-created and referenced inside your ansible.cfg file. The following excerpt is from ansible-config list for the configuration DEFAULT_VAULT_IDENTITY_LIST:

    default: []
    description: A list of vault-ids to use by default. Equivalent to multiple --vault-id
    args. Vault-ids are tried in order.
    env:
    - {name: ANSIBLE_VAULT_IDENTITY_LIST}
    ini:
    - {key: vault_identity_list, section: defaults}
    name: Default vault ids
    type: list
    yaml: {key: defaults.vault_identity_list}

    You can reference multiple vault IDs and their corresponding vault files in ansible.cfg.  The vault_identity_list key under the default section is used to map the vault IDs to files.

    The ansible.cfg has the following configuration:

    [sanujan@fedora ansible]$ cat ansible.cfg
    [defaults]
    inventory = inventory
    remote_user = root
    vault_identity_list = inline@~/ansible/.inline_pass , files@~/ansible/.files_pass

    For the purpose of this article, I've used the last line above to pre-create two vault password files in the $HOME/ansible directory with the appropriate permissions. That last line maps vault-id inline to /home/sanujan/ansible/.inline_pass and vault-id files to /home/sanujan/ansible/.files_pass.

    The contents of those password files are shown below:

    [sanujan@fedora ansible]$ cat ~/ansible/.files_pass
    REDHAT
    [sanujan@fedora ansible]$ cat ~/ansible/.inline_pass
    redhat
    [sanujan@fedora ansible]$ ls -l ~/ansible/.files_pass ~/ansible/.inline_pass
    -r--------. 1 sanujan sanujan 7 Sep 23 06:25 /home/sanujan/ansible/.files_pass
    -r--------. 1 sanujan sanujan 7 Sep 23 06:25 /home/sanujan/ansible/.inline_pass

    This code creates a sample playbook containing encrypted text and a reference to an encrypted vars file, (vars/vars.yml), as shown in Figure 1.

    The results of running cat vault_encryption.yml.

    How the string and vars file are encrypted is detailed in the next section.

    Encrypting a file to be included/referenced inside the playbook

    To create the encrypted section for a file, run:

    [sanujan@fedora ansible]$ ansible-vault encrypt --encrypt-vault-id files vars/vars.yml

    The --encrypt-vault-id files is how we reference the vault ID "files" to be used for encrypting the file vars/vars.yml in the playbook directory. This command doesn't prompt us for a password because it references the ID "files" from ansible.cfg.

    The config file maps to ~/ansible/.files_pass, where the passphrase REDHAT is hard-coded. In the vars/vars.yml file, a variable is initialized with the key course and value DO457.

    To view the encrypted file, you can use ansible-vault's view option. Here, the passphrase is automatically taken by Ansible, as it's referenced inside ansible.cfg:

    [sanujan@fedora ansible]$ ansible-vault view vars/vars.yml 
    course: DO457

    Encrypting a string to be used inside a playbook

    To encrypt a string intended for use inside an Ansible playbook, use a format similar to:

    [sanujan@fedora ansible]$ ansible-vault encrypt_string --encrypt-vault-id inline -n testing this-is-the-secret

    The --encrypt-vault-id inline portion is how we reference the vault ID inline to be used for encrypting the string this-is-the-secret. Next, we set the testing variable to the value of this-is-the-secretusing -n testing.

    This command doesn't prompt us for a password. Instead, it references the ID inline from ansible.cfg, which maps to ~/ansible/.inline_pass with the passphrase redhat. The results for this command are shown in Figure 2.

    The results of running ansible-vault encrypt_string --encrypt-vault-id inline -n testing this-is-the-secret

    The output breaks down as follows:

    • The variable name testing, followed by !vault |, indicates that the vault is encrypted.
    • The vault version that supports the vault ID is 1.2.
    • The AES cipher in 256 bits is represented by AES256.
    • The vault ID in use is inline.

    Note: The vault ID is visible in the header.

    Now, you can copy and paste the contents including the variable name (testing, in our case), all the way down to the line before Encryption Successful.

    Executing the playbook

    In order to execute this playbook, run:

    [sanujan@fedora ansible]$ ansible-playbook vault_encryption.yml

    The results are shown in Figure 3.

    The results of running ansible-playbook vault_encryption.yml.

    Prompting the vault password during playbook execution

    If the vault_identity_list key is referenced in ansible.cfg, Ansible will always read those password files from left to right, checking for possible passphrase matches and disregarding the vault IDs before the tilde (~) character. If you prefer to have Ansible prompt you for the password to decrypt the vault string/file, you can comment out the vault_identity_list key in ansible.cfg.

    To execute the playbook while requiring a prompt, use --vault-id id@prompt:

    [sanujan@fedora ansible]$ ansible-playbook --vault-id inline@prompt --vault-id files@prompt vault_encryption.yml

    An example is shown in Figure 4.

    The result of running ansible-playbook --vault-id inline@prompt --vault-id files@prompt vault_encryption.yml.

    As you can see, this command prompts you twice: once for entering the passphrase for vault ID inline and the second for files.

    Vault IDs in Ansible Tower

    Ansible Tower also supports vault IDs, starting with Tower 3.3. You can reference these vault IDs while creating a credential of type Vault, as shown in Figure 5.

    The Ansible Tower New Credential screen.

    Summary

    Vault IDs offer the flexibility to choose multiple passphrases for encrypting different files and strings.  Ansible Tower supports vault IDs also while creating the Vault credential.

    Learn more

    To learn more about vault IDs and how to use them in Red Hat Ansible and Red Hat Ansible Tower, see the following resources:

    • Ansible Vault ID
    • Ansible Documentation
    • Ansible Tower Documentation

     

    Last updated: March 28, 2023

    Recent Posts

    • Why Models-as-a-Service architecture is ideal for AI models

    • How to run MicroShift as a container using MINC

    • OpenShift 4.19 brings a unified console for developers and admins

    • 3 steps to secure network segmentation with Ansible and AWS

    • Integrate vLLM inference on macOS/iOS using OpenAI APIs

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue