When we automate tasks, we need to implement them with little to no user interaction. However, we also know that there will be stages where Ansible needs inputs such as usernames, passwords, API keys, and secrets. Most of these details can be kept in a variable file and passed to playbooks without a user prompt or interaction but it is not a best practice to keep this kind of sensitive information in a plain text format as variables. There are external key vault services you can use but most of them require additional setup and configurations, which you need to integrate with Ansible.

Ansible Vault is an inbuilt feature of Ansible, using which we can safeguard the sensitive parts of our Ansible artifacts by encrypting our own vault passwords. Ansible Vault is installed together with Ansible and you can use it for Ansible ad hoc commands, playbooks, or within Red Hat Ansible Automation Platform.

In this chapter, you will learn about the following...

The following are the technical requirements to proceed with this chapter:

• One RHEL8/Fedora machine for an Ansible control node
• One or more Linux machines with Red Hat repositories configured. If you are using other Linux operating systems instead of Red Hat Enterprise Linux (RHEL) machines, then make sure you have the appropriate repositories configured to get packages and updates.

All the Ansible code, Ansible playbooks, commands, and snippets for this chapter can be found in the GitHub repository at https://github.com/PacktPublishing/Ansible-for-Real-life-Automation/tree/main/Chapter-13.

It is a known practice not to keep sensitive data in plain text format. The same rule applies to Ansible as well, as you will be dealing with different types of sensitive data in Ansible. The sensitive data could be anything, such as the following:

• System passwords
• API keys
• Port details of applications
• Database passwords
• SSL certificates or keys
• Cloud credentials

We have already learned that Ansible uses plain text format for playbooks, variables, and all other configurations. Hence, storing sensitive data in normal variable files is not desirable and we need to store such information using a more secure method.

Before we jump into the details of Ansible Vault, let us learn about some of the alternative secret management methods in the following sections.

Integrating with Vault services

One of the most common methods for storing sensitive information is using key vault software and services where we can...

Ansible Vault is very flexible, as we can encrypt, view, decrypt, or change the Vault password (as in, rekey it) at any time as needed. The Vault password must be stored safely, as you will not be able to retrieve the encrypted Vault content without the Vault password.

Creating Vault files

In the following exercise, we will learn how to create an encrypted file using Ansible Vault:

1. To create a Vault file from scratch, use the ansible-vault create command, as shown in Figure 13.6:

Figure 13.6 – Creating a Vault file

2. After we enter the Vault password, a new file will open in the default text editor, such as vim or nano (we can change the default editor by updating the $EDITOR environment variable). Enter the variables and values as needed, just as with a normal variable file:

   cloud_username: myusername 
   cloud_password: mysecretpassword

Refer to Figure 13.7 for further details:

You have learned the basic usage of secrets in an Ansible playbook in Chapter 3’s Automating notifications section. In this section, we will learn more about their usage and different methods of passing the Vault password.

In the following exercise, we will develop Ansible content to create users in Linux, with their passwords retrieved from an Ansible Vault file:

1. Create a Chapter-13/vars/users.yaml Ansible Vault file as follows and enter the Vault password:

   [ansible@ansible Chapter-13]$ ansible-vault create vars/users.yaml 

Remember the password, as we need this information when executing the playbook.

2. Add content to the variable files as follows:

Figure 13.24 – User details inside an Ansible Vault file

Save the file and exit the editor. The userlist variable contains details of multiple users and their passwords.

3. Verify the file content, as shown in Figure 13.25:

When you run your playbooks from the Web UI of the automation controller, then you have similar options to provide the Vault secret from the WebUI. We can either keep the Vault secret inside a Vault credential or we can select the Prompt on launch option. The latter involves interactive input (such as --ask-vault-password in the Ansible command-line execution) and will prompt for the Vault secret when you execute the Job Template from the automation controller’s WebUI.

The Ansible automation controller

The Ansible automation controller is the control plane for the Ansible Automation Platform (AAP). When you migrate to AAP 2, the automation controller will be upgraded to include Ansible Tower. Refer to Chapter 12, Integrating Ansible with Your Tools, for more details.

In the following section, we will learn how to create Vault credentials in the Ansible automation controller GUI and attach them to the Job Template...

In this chapter, we learned the importance of keeping sensitive data secure within Ansible automation artifacts and the different methods available to do so, such as external Vault services, vars_prompt, and Ansible Vault. After this, we learned different operations within Ansible Vault, such as creating, modifying, viewing, decrypting, and rekeying Vault files and variables.

We also developed Ansible artifacts using Vault files for storing user information and database user credentials. We also discussed the Vault credentials in the automation controller GUI and how to use them with Job Templates.

In the next chapter, we will learn about different methodologies and approaches for developing Ansible automation artifacts and factors to consider throughout Ansible automation.

To learn more about the topics covered in this chapter, please visit the following links:

• Tutorial: Use Azure Key Vault to store VM secrets with Ansible – https://docs.microsoft.com/en-us/azure/developer/ansible/key-vault-configure-secrets?tabs=ansible
• How to send emails using Ansible and Gmail – https://www.techbeatly.com/ansible-gmail
• Logging Ansible output – https://docs.ansible.com/ansible/latest/reference_appendices/logging.html
• Keep vaulted variables safely visible – https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html#keep-vaulted-variables-safely-visible
• Encrypting passwords in Ansible – https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module
• Vault IDs in Red Hat Ansible and Red Hat Ansible Tower –https://developers.redhat.com/blog/2020/01/30/vault-ids-in-red-hat-ansible-and-red-hat-ansible...