Ditch the Ask-Vault-Pass Parameter: Securely Accessing Vault Secrets in Ansible
The Problem:
You're using Ansible Vault to encrypt sensitive data like passwords and API keys, but you're tired of constantly being prompted for the vault password. It's inconvenient, especially when automating tasks or working in CI/CD pipelines.
Rephrased:
You want to access your encrypted Ansible secrets without having to type in the password every time.
Scenario:
Let's say you have a playbook named deploy.yml that uses a vault file called secrets.yml to store a database password:
---
- hosts: webservers
become: true
tasks:
- name: Connect to the database
mysql_user:
name: myuser
password: "{{ lookup('vault', 'secrets.yml:database_password') }}"
delegate_to: localhost
Every time you run this playbook, Ansible will ask for the vault password.
Solutions:
Here are a few ways to avoid the ask-vault-pass prompt:
-
Vault Password in Environment Variable:
Set the
ANSIBLE_VAULT_PASSWORDenvironment variable before running Ansible:export ANSIBLE_VAULT_PASSWORD=my_secret_password ansible-playbook deploy.ymlPros: Easy to implement, works well for one-off tasks.
Cons: Insecure if you don't manage the environment variable carefully.
-
Vault Password in a File:
Store the vault password in a separate file and use the
--vault-password-fileoption when running Ansible:echo "my_secret_password" > vault_password.txt ansible-playbook deploy.yml --vault-password-file vault_password.txtPros: More secure than environment variables, can be managed with version control.
Cons: Still requires storing the password in plaintext.
-
Vault Secrets in Configuration Files:
If your environment uses Ansible configuration files, store the vault password in the
ansible.cfgfile:[defaults] vault_password = my_secret_passwordPros: Centralized storage, works seamlessly with Ansible.
Cons: Still stores the password in plaintext within the configuration file.
-
Vault Passphrase in a KMS (Key Management Service):
Use a KMS like AWS KMS or Hashicorp Vault to securely store and retrieve the vault password. This approach eliminates the need to store the password in plaintext.
Pros: Highly secure, integrates well with existing infrastructure.
Cons: Requires setting up and configuring a KMS.
Recommendations:
For maximum security, use a KMS (option 4) or, if you can't use a KMS, store the vault password in a file (option 2) and carefully manage the file permissions.
Important Considerations:
- Security: Storing your vault password in plaintext (options 1, 2, and 3) is not ideal. Use strong passwords and secure storage methods.
- Access Control: Ensure you have appropriate access control mechanisms in place for whoever manages the vault password.
- CI/CD Integration: When integrating Ansible with CI/CD pipelines, use a KMS or store the vault password in a secure way, accessible only to authorized users.
Conclusion:
While the ask-vault-pass parameter is useful for quick testing, you should strive to avoid it in production environments. By securely storing your vault password and leveraging the right strategies, you can streamline your Ansible workflows while maintaining security.
Resources:
