ansible/docs/docsite/rst/user_guide/playbooks_vault.rst

.. _playbooks_vault:

Using Vault in playbooks
========================

.. contents:: Topics

The "Vault" is a feature of Ansible that allows you to keep sensitive data such as passwords or keys in encrypted files, rather than as plaintext in playbooks or roles. These vault files can then be distributed or placed in source control.

To enable this feature, a command line tool, :ref:`ansible-vault` is used to edit files, and a command line flag :option:`--ask-vault-pass <ansible-vault --ask-vault-pass>` or :option:`--vault-password-file <ansible-vault --vault-password-file>` is used. You can also modify your ``ansible.cfg`` file to specify the location of a password file or configure Ansible to always prompt for the password. These options require no command line flag usage.

For best practices advice, refer to :ref:`best_practices_for_variables_and_vaults`.

.. _running_a_playbook_with_vault:

Running a Playbook With Vault
`````````````````````````````

To run a playbook that contains vault-encrypted data files, you must pass one of two flags.  To specify the vault-password interactively::

    ansible-playbook site.yml --ask-vault-pass

This prompt will then be used to decrypt (in memory only) any vault encrypted files that are accessed.  Currently this requires that all files be encrypted with the same password.

Alternatively, passwords can be specified with a file or a script (the script version will require Ansible 1.7 or later).  When using this flag, ensure permissions on the file are such that no one else can access your key and do not add your key to source control::

    ansible-playbook site.yml --vault-password-file ~/.vault_pass.txt

    ansible-playbook site.yml --vault-password-file ~/.vault_pass.py

The password should be a string stored as a single line in the file.

.. note::
   You can also set :envvar:`ANSIBLE_VAULT_PASSWORD_FILE` environment variable, e.g. ``ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt`` and Ansible will automatically search for the password in that file.

If you are using a script instead of a flat file, ensure that it is marked as executable, and that the password is printed to standard output.  If your script needs to prompt for data, prompts can be sent to standard error.

This is something you may wish to do if using Ansible from a continuous integration system like Jenkins.

The :option:`--vault-password-file <ansible-pull --vault-password-file>` option can also be used with the :ref:`ansible-pull` command if you wish, though this would require distributing the keys to your nodes, so understand the implications -- vault is more intended for push mode.


.. _single_encrypted_variable:

Single Encrypted Variable
`````````````````````````

As of version 2.3, Ansible can now use a vaulted variable that lives in an otherwise 'clear text' YAML file::

    notsecret: myvalue
    mysecret: !vault |
              $ANSIBLE_VAULT;1.1;AES256
              66386439653236336462626566653063336164663966303231363934653561363964363833313662
              6431626536303530376336343832656537303632313433360a626438346336353331386135323734
              62656361653630373231613662633962316233633936396165386439616533353965373339616234
              3430613539666330390a313736323265656432366236633330313963326365653937323833366536
              34623731376664623134383463316265643436343438623266623965636363326136
    other_plain_text: othervalue

To create a vaulted variable, use the :ref:`ansible-vault encrypt_string <ansible_vault_encrypt_string>` command. See :ref:`encrypt_string` for details.

This vaulted variable will be decrypted with the supplied vault secret and used as a normal variable. The ``ansible-vault`` command line supports stdin and stdout for encrypting data on the fly, which can be used from your favorite editor to create these vaulted variables; you just have to be sure to add the ``!vault`` tag so both Ansible and YAML are aware of the need to decrypt. The ``|`` is also required, as vault encryption results in a multi-line string.


.. _encrypt_string:

Using encrypt_string
````````````````````

This command will output a string in the above format ready to be included in a YAML file.
The string to encrypt can be provided via stdin, command line arguments, or via an interactive prompt.

See :ref:`encrypt_string_for_use_in_yaml`.
Add anchors to some guides and all module categories (#36642) * Add anchors to some guides and all module categories This is required if we want to use absolute :ref: references instead of relative :doc: references. * Update the Cisco ACI Guide reference * Add `aci_guide` anchor * Add `network_guide` anchor * Add category anchor * Improve readability * Fix small typo 7 years ago			`.. _playbooks_vault:`

Vault docs (#26979) * start rst docs for ansible-vault encrypt_string * wip, vault format docs (sorta markdown ish atm) * wip - formatting * wip, vault docs * Fix refs to other docs for now fixing default_role in conf.py will remove need for this * add 'ref' to cli names * more vault docs * wip, misc fixes * add some encrypt_string examples * Fix up rstcheck warnings The code blocks in question included the output that would be echo'ed from running the command, which isnt valid bash. * fix formatting and rstcheck warnings about code-block * Add envvar ref for ANSIBLE_VAULT_PASSWORD_FILE * fix doc title * Fixed title underline 7 years ago			`Using Vault in playbooks`
			`========================`
Add vault documentation. 11 years ago
			`.. contents:: Topics`

Removing obsolete version behavior callout notes - initial pass. (#33172) * Removing obsolete version behavior callout notes - initial pass. * Fixed example text punctuation. * Removed old version callout. * Typo fix * Updated example * Fixed awkward sentence * Fixed incorrect feature name * Reinstated current version callout 7 years ago			`The "Vault" is a feature of Ansible that allows you to keep sensitive data such as passwords or keys in encrypted files, rather than as plaintext in playbooks or roles. These vault files can then be distributed or placed in source control.`
Add vault documentation. 11 years ago
Correct formatting --arguments (#31808) * Correct formatting * Use RST :option: * ansible-pull --vault-password-file * Streamlined the language a bit in the intro. * Exclamation point removal! 7 years ago			To enable this feature, a command line tool, :ref:`ansible-vault` is used to edit files, and a command line flag :option:`--ask-vault-pass <ansible-vault --ask-vault-pass>` or :option:`--vault-password-file <ansible-vault --vault-password-file>` is used. You can also modify your ``ansible.cfg`` file to specify the location of a password file or configure Ansible to always prompt for the password. These options require no command line flag usage.
Add vault documentation. 11 years ago
vault and variables best practices info added, edited, and referenced This work fulfills PR #11799. Moved the content out of the vault file, into best practices, edited it, then referenced it from variables and vaults content files. 9 years ago			For best practices advice, refer to :ref:`best_practices_for_variables_and_vaults`.

Add vault documentation. 11 years ago			`.. _running_a_playbook_with_vault:`

			`Running a Playbook With Vault`
			`````````````````````````````

			`To run a playbook that contains vault-encrypted data files, you must pass one of two flags. To specify the vault-password interactively::`

			`ansible-playbook site.yml --ask-vault-pass`

Update playbooks_vault.rst Typo fix (passwords -> files). 10 years ago			`This prompt will then be used to decrypt (in memory only) any vault encrypted files that are accessed. Currently this requires that all files be encrypted with the same password.`
Add vault documentation. 11 years ago
Removing obsolete version behavior callout notes - initial pass. (#33172) * Removing obsolete version behavior callout notes - initial pass. * Fixed example text punctuation. * Removed old version callout. * Typo fix * Updated example * Fixed awkward sentence * Fixed incorrect feature name * Reinstated current version callout 7 years ago			`Alternatively, passwords can be specified with a file or a script (the script version will require Ansible 1.7 or later). When using this flag, ensure permissions on the file are such that no one else can access your key and do not add your key to source control::`
Add vault documentation. 11 years ago
			`ansible-playbook site.yml --vault-password-file ~/.vault_pass.txt`

Allow --vault-password-file to work with a script as well as a flat file 11 years ago			`ansible-playbook site.yml --vault-password-file ~/.vault_pass.py`

Add vault documentation. 11 years ago			`The password should be a string stored as a single line in the file.`

Adds ANSIBLE_VAULT_PASSWORD_FILE to the documentation site 9 years ago			`.. note::`
Vault docs (#26979) * start rst docs for ansible-vault encrypt_string * wip, vault format docs (sorta markdown ish atm) * wip - formatting * wip, vault docs * Fix refs to other docs for now fixing default_role in conf.py will remove need for this * add 'ref' to cli names * more vault docs * wip, misc fixes * add some encrypt_string examples * Fix up rstcheck warnings The code blocks in question included the output that would be echo'ed from running the command, which isnt valid bash. * fix formatting and rstcheck warnings about code-block * Add envvar ref for ANSIBLE_VAULT_PASSWORD_FILE * fix doc title * Fixed title underline 7 years ago			You can also set :envvar:`ANSIBLE_VAULT_PASSWORD_FILE` environment variable, e.g. ``ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt`` and Ansible will automatically search for the password in that file.
Adds ANSIBLE_VAULT_PASSWORD_FILE to the documentation site 9 years ago
Update vault docs to indicate the executable script option is part of Ansible 1.7. 10 years ago			`If you are using a script instead of a flat file, ensure that it is marked as executable, and that the password is printed to standard output. If your script needs to prompt for data, prompts can be sent to standard error.`
Allow --vault-password-file to work with a script as well as a flat file 11 years ago
Update vault docs to indicate the executable script option is part of Ansible 1.7. 10 years ago			`This is something you may wish to do if using Ansible from a continuous integration system like Jenkins.`
Add vault documentation. 11 years ago
Correct formatting --arguments (#31808) * Correct formatting * Use RST :option: * ansible-pull --vault-password-file * Streamlined the language a bit in the intro. * Exclamation point removal! 7 years ago			The :option:`--vault-password-file <ansible-pull --vault-password-file>` option can also be used with the :ref:`ansible-pull` command if you wish, though this would require distributing the keys to your nodes, so understand the implications -- vault is more intended for push mode.
Add vault documentation. 11 years ago
added docs for vault and made trigger shorter: !vault (#20985) * added docs for vault and made trigger shorter: !vault * added single var valuting * Update playbooks_vault.rst Edit pass for spelling and grammar. Ship it! * Update playbooks_vault.rst Typo fixes. 8 years ago
Vault docs (#26979) * start rst docs for ansible-vault encrypt_string * wip, vault format docs (sorta markdown ish atm) * wip - formatting * wip, vault docs * Fix refs to other docs for now fixing default_role in conf.py will remove need for this * add 'ref' to cli names * more vault docs * wip, misc fixes * add some encrypt_string examples * Fix up rstcheck warnings The code blocks in question included the output that would be echo'ed from running the command, which isnt valid bash. * fix formatting and rstcheck warnings about code-block * Add envvar ref for ANSIBLE_VAULT_PASSWORD_FILE * fix doc title * Fixed title underline 7 years ago			`.. _single_encrypted_variable:`
added docs for vault and made trigger shorter: !vault (#20985) * added docs for vault and made trigger shorter: !vault * added single var valuting * Update playbooks_vault.rst Edit pass for spelling and grammar. Ship it! * Update playbooks_vault.rst Typo fixes. 8 years ago
			`Single Encrypted Variable`
			`````````````````````````

			`As of version 2.3, Ansible can now use a vaulted variable that lives in an otherwise 'clear text' YAML file::`

			`notsecret: myvalue`
			`mysecret: !vault \|`
			`$ANSIBLE_VAULT;1.1;AES256`
			`66386439653236336462626566653063336164663966303231363934653561363964363833313662`
			`6431626536303530376336343832656537303632313433360a626438346336353331386135323734`
			`62656361653630373231613662633962316233633936396165386439616533353965373339616234`
			`3430613539666330390a313736323265656432366236633330313963326365653937323833366536`
			`34623731376664623134383463316265643436343438623266623965636363326136`
			`other_plain_text: othervalue`

Misc docsite fixes (#30290) * Fix refs for local_facts and various cli :option: * Fix dev_guide/testing_pep8 refs * remove ref to non-existing 'developing_test_pr' * Fix ref to ansible-vault encrypt_string * Removed hard-to-localize colloquialism. * Rename '_ansible-pull' in playbooks_intro. It was conflicting with rst/ansible-pull.rst. Nothing seems to reference it. * Add explicit targets for and update refs Replace some ':doc:' use with ':ref:'. Replace some :ref: to section names with explicit targets (:doc:`Dynamic vs. Static` -> :ref:`dynamic_vs_static` etc) * The 'YAML+Jinja' syntax lex fails here, so just use yaml Since the yaml+jinja highlight fails, code wasnt highlighted at all, but 'yaml' works more or less. * just use no lexer for the < python2.6 examples py3 will fail highlighting them, and 'python2' throws a lexer warning, and nothing actually highlights it, so just disable. 7 years ago			To create a vaulted variable, use the :ref:`ansible-vault encrypt_string <ansible_vault_encrypt_string>` command. See :ref:`encrypt_string` for details.
added docs for vault and made trigger shorter: !vault (#20985) * added docs for vault and made trigger shorter: !vault * added single var valuting * Update playbooks_vault.rst Edit pass for spelling and grammar. Ship it! * Update playbooks_vault.rst Typo fixes. 8 years ago
Fix typo (#26988) 7 years ago			This vaulted variable will be decrypted with the supplied vault secret and used as a normal variable. The ``ansible-vault`` command line supports stdin and stdout for encrypting data on the fly, which can be used from your favorite editor to create these vaulted variables; you just have to be sure to add the ``!vault`` tag so both Ansible and YAML are aware of the need to decrypt. The ``\|`` is also required, as vault encryption results in a multi-line string.
added docs for vault and made trigger shorter: !vault (#20985) * added docs for vault and made trigger shorter: !vault * added single var valuting * Update playbooks_vault.rst Edit pass for spelling and grammar. Ship it! * Update playbooks_vault.rst Typo fixes. 8 years ago

Vault docs (#26979) * start rst docs for ansible-vault encrypt_string * wip, vault format docs (sorta markdown ish atm) * wip - formatting * wip, vault docs * Fix refs to other docs for now fixing default_role in conf.py will remove need for this * add 'ref' to cli names * more vault docs * wip, misc fixes * add some encrypt_string examples * Fix up rstcheck warnings The code blocks in question included the output that would be echo'ed from running the command, which isnt valid bash. * fix formatting and rstcheck warnings about code-block * Add envvar ref for ANSIBLE_VAULT_PASSWORD_FILE * fix doc title * Fixed title underline 7 years ago			`.. _encrypt_string:`
Add vault documentation. 11 years ago
Vault docs (#26979) * start rst docs for ansible-vault encrypt_string * wip, vault format docs (sorta markdown ish atm) * wip - formatting * wip, vault docs * Fix refs to other docs for now fixing default_role in conf.py will remove need for this * add 'ref' to cli names * more vault docs * wip, misc fixes * add some encrypt_string examples * Fix up rstcheck warnings The code blocks in question included the output that would be echo'ed from running the command, which isnt valid bash. * fix formatting and rstcheck warnings about code-block * Add envvar ref for ANSIBLE_VAULT_PASSWORD_FILE * fix doc title * Fixed title underline 7 years ago			`Using encrypt_string`
			````````````````````
Add note about installing cryptography. 9 years ago
Vault docs (#26979) * start rst docs for ansible-vault encrypt_string * wip, vault format docs (sorta markdown ish atm) * wip - formatting * wip, vault docs * Fix refs to other docs for now fixing default_role in conf.py will remove need for this * add 'ref' to cli names * more vault docs * wip, misc fixes * add some encrypt_string examples * Fix up rstcheck warnings The code blocks in question included the output that would be echo'ed from running the command, which isnt valid bash. * fix formatting and rstcheck warnings about code-block * Add envvar ref for ANSIBLE_VAULT_PASSWORD_FILE * fix doc title * Fixed title underline 7 years ago			`This command will output a string in the above format ready to be included in a YAML file.`
Correct formatting --arguments (#31808) * Correct formatting * Use RST :option: * ansible-pull --vault-password-file * Streamlined the language a bit in the intro. * Exclamation point removal! 7 years ago			`The string to encrypt can be provided via stdin, command line arguments, or via an interactive prompt.`
Add vault documentation. 11 years ago
Vault docs (#26979) * start rst docs for ansible-vault encrypt_string * wip, vault format docs (sorta markdown ish atm) * wip - formatting * wip, vault docs * Fix refs to other docs for now fixing default_role in conf.py will remove need for this * add 'ref' to cli names * more vault docs * wip, misc fixes * add some encrypt_string examples * Fix up rstcheck warnings The code blocks in question included the output that would be echo'ed from running the command, which isnt valid bash. * fix formatting and rstcheck warnings about code-block * Add envvar ref for ANSIBLE_VAULT_PASSWORD_FILE * fix doc title * Fixed title underline 7 years ago			See :ref:`encrypt_string_for_use_in_yaml`.