I’ve been talking a lot about Hashicorp Vault lately, but there is also regular old Ansible Vault. Two of my favorite ways to use Ansible Vault are with include_vars and the file lookup. With include_vars, you just need to encrypt your entire variables file:
ansible-vault encrypt roles/jenkins/vars/credentials.yml
The variables can be included in your task with no special decryption action:
- include_vars: "credentials.yml"
Similarly, the file lookup plugin automatically decrypts files completely. So, encrypt your certificate:
ansible-vault encrypt roles/project/files/ssl.cert
Use the file lookup plugin to decrypt it and upload it:
- copy: content="{{ lookup('file', 'ssl.cert') }}" dest=/project/config/ssl.cert mode=0400
Leave a comment