0/1 Lessons

Course Introduction

• 19min

0 / 2 lessons complete

IT Lab Setup

• 31min

0 / 3 lessons complete

Installing Ansible

• 57min

0 / 4 lessons complete

Managing your Ansible Inventory

• 2hr 45min

0 / 8 lessons complete

Ansible Basics

• 2hr 54min

0 / 9 lessons complete

Ansible Roles

• 2hr 38min

0 / 8 lessons complete

Ansible Galaxy

• 2hr 28min

0 / 6 lessons complete

Ansible Facts, Variables, Passwords and Templates

• 3hr 20min

0 / 9 lessons complete

Advanced Ansible Playbook Creation

• 2hr 23min

0 / 8 lessons complete

Course Conclusion

• 11min

0 / 1 lessons complete

Storing Passwords with Ansible Vault


Q&A (0)

Notes (0)

Resources (0)

Saving Progress...


There are no resources for this lesson.

Notes can be saved and accessed anywhere in the course. They also double as bookmarks so you can quickly review important lesson material.

Create note

In this lesson, we're going to update our Ansible configuration to handle scenarios where managed nodes have different become passwords. We'll change the become password for one of our nodes, update the ansible.cfg file, create an Ansible Vault to securely store these passwords, modify the inventory to use these stored passwords, and adjust a playbook to reflect these changes.

By the end of this lesson, you'll understand how to manage different become passwords across multiple nodes securely, as well as how to specify different become passwords for each host you manage.

Understanding Ansible Vaults for Secure User Management

Ansible Vaults are essential for securely handling sensitive information in your Ansible projects. They provide a way to encrypt data like passwords or keys, ensuring that such critical information is not exposed in your playbooks or stored in plain text.

Ansible-Vault Commands

If you execute the ansible-vault --help command, you'll see this utility offers several options for managing your encrypted data:

Each command serves a specific purpose, providing flexibility and security in managing sensitive data. In this lesson, we are going to use create to make our Ansible Vault.

Update Password for managed-node-2

First, we need to create a scenario where not all the become passwords are the same. Right now, your lab environment should be using the same password123 password across all nodes for your user account. SSH into managed-node-2 and update its password to 'password12'. This simulates an environment where --ask-become-pass is not viable due to differing passwords.

SSH into managed-node-2

ssh managed-node-2

Enter the command below to update the users password:


Enter 'password12' as the new password, confirm it, then exit the SSH session with the exit command to return to the Ansible Controller.

Update ansible.cfg

Back at the Ansible Controller, update the ansible.cfg file to ask for the vault password under the defaults header and comment out the old become_ask_pass section. This way, you don't need to pass --ask-vault-pass every time you run a playbook.

Remember, we have created an ansible.cfg.example file where we can see all possible configuration for our current version of Ansible

Update your ansible.cfg file as follows:

inventory = ~/inventory
ask_vault_pass = True

#become_ask_pass = True

Create an Ansible Vault

Create an Ansible Vault named secret.yml to store your become passwords securely. This allows you to have unique become passwords for each node.

Run the following command:

ansible-vault create secret.yml

When prompted, enter our lab password to avoid confusion: password123. Then add the following content:

This will open in the vim editor, press 'i' to go into edit mode, then press ':', followed by 'wq + enter' to save and close the editor when you're done.

  managed_node_1: 'password123'
  managed_node_2: 'password12'
  ansible_controller: 'password123'

After you close the editor, you can try to cat that file, but you'll get the encrypted data instead of the clear text password:

paulh@ansible-controller:~$ cat secret.yml

If you want to inspect the file, you can use the view or edit commands:

paulh@ansible-controller:~$ ansible-vault view secret.yml
Vault password:
  managed_node_1: 'password123'
  managed_node_2: 'password12'
  ansible_controller: 'password123'

Update the Inventory File

Now that we have created our ansible vault, we need to modify our inventory to call those variables inside the vault for each managed node. Let's open our inventory file:

nano ~/inventory

Update your inventory file to have the variable references for our secret passwords for each host using the ansible_become_pass directive:

Server Academy Members Only

Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.

0 0 votes
Lesson Rating
Notify of
profile avatar
Inline Feedbacks
View all comments