Managing Secrets using Ansible Vault

Many of the application setups and server configurations need secrets like keys and passwords. Typically we store Ansible roles and plays in a version control but these version controls have wider access than we can afford in terms of exposing the secrts.

Ansible provides an inbuilt mechanism to encrypt the sensitive information encoded in yml format. For example, we can have a file with variables which can hold the passwords and can be encrypted.

mysql_password: top_secret

To encrypt the file above, we can call ansible-vault command line.

ansible-vault encrypt secret.yml

An encrypted file would look like this:

$ cat secret.yml