Ansible is a framework that helps with automating deployments, among other things. It has a feature called Ansible Vault that enables you to encrypt secrets in your ansible files. These vault encrypted secrets can only be decrypted if you provide the correct password. This means you can store things like database passwords and other sensitive settings in your repository, in a secure manner. For password access to your secrets, you are given 3 options:
- Ansible asks you to enter a password every time the secrets are needed
- You provide a file that has the password in it
- You leave everything decrypted until you’re ready to commit your changes, then you encrypt them using option 1 or 2 (and later decrypt when you want to make changes).
Entering a password all the time gets annoying real quick, but having a password file laying around does not seem all that secure. Plus it’s hard to share securely if you’re collaborating with others. Option 3 requires you to not make a mistake and accidentally commit decrypted secrets. What if there was a better way?
Lastpass is a great place to store your passwords, and generate secure ones, but it is annoying to lookup, copy, then paste the password back in ansible, and you need to add
—ask-vault-pass to every ansible command. However, Lastpass has a neat command line utility that you can use to get a password saved in Lastpass. With some minor scripting, you can integrate this with the ansible password file, so that you don’t have a plaintext password file laying around. I learned a lot about how to do this from How to use Ansible Vault with LastPass but decided that simple scripting worked better for me than install a ruby gem.
- Install lastpass-cli
- Create a bash script we’ll call
lpass_vault.sh. This must be located wherever you run
ansiblefrom, and be executable
- Create an entry in your Lastpass account with the Name
"ansible vault". This is what is referenced in the script above.
- Add the following to environment. You could add it to the bottom of
bin/activateif you’re using python virtualenv:
- Then run
lpass loginto ensure lastpass is setup
- Now you can run
ansiblewith vault encrypted secrets, and at worst you’ll be prompted for your lastpass master password.
PASSWORD=`lpass show --password "ansible vault"`
export ANSIBLE_VAULT_PASSWORD_FILE=`command -v ./lpass_vault.sh`
This isn’t only more convenient for an individual, it can also be great for teams: you can check vault encrypted secrets into a shared repository, then share the password in Lastpass. Now nothing is exposed in the repository, and the only people that can access the secrets are those with the Lasspass password.