Ansible Vault.
Playbooks belong in git β passwords don't. Ansible Vault encrypts secrets with AES256 so the ciphertext is safe to commit, then decrypts them in memory the moment a play runs. Watch a secrets file flip between plaintext and an encrypted blob, and learn to run with the vault password.
Ansible Vault animated tutorial. Encrypting and editing secrets files with ansible-vault create, encrypt, edit, view, decrypt, and rekey, running playbooks with the vault password via --ask-vault-pass, --vault-password-file, and --vault-id, encrypt_string for a single inline secret, the $ANSIBLE_VAULT;1.1;AES256 header, group_vars/all/vault.yml convention, and password file hygiene with chmod 600. RHCE EX294 ready.Passwords and tokens can't live in plaintext YAML if your playbooks are in git. Watch a secrets file flip between readable plaintext and an AES256 vault blob, then get decrypted in memory the moment a play runs.
- Β·Comfortable writing and running Ansible playbooks
- Β·Know what a vars file / group_vars looks like
- Β·Basic git + file permissions (chmod 600)
Encrypt and edit vault files, run playbooks that supply the vault password, encrypt a single value with encrypt_string, and lay out vaults with vault-id and good password hygiene.
pace: 8 minutes
π secrets.ymlβ οΈ plaintextWhy Vault β secrets don't belong in plaintext
Playbooks live in git, but passwords, tokens, and keys must not sit there in the clear. Ansible Vault encrypts files (or single values) with a password, using AES256, so the ciphertext is safe to commit. The file stays valid YAML β only the readable secret is replaced by an opaque vault blob. Encrypt a brand-new file with `create`, or wrap an existing one with `encrypt`.
$ansible-vault create secrets.yml$ansible-vault encrypt existing.yml$head -1 secrets.ymlVault lets you commit secrets to git safely β the file stays valid YAML, but the sensitive value is an AES256 blob until a password unlocks it at runtime. Encrypt a whole file with `create`/`encrypt`, or just one value with `encrypt_string`; either way Ansible decrypts transparently when you supply the password.
$ansible-vault create FILE$ansible-vault encrypt FILE$ansible-vault decrypt FILE$ansible-vault view FILE$ansible-vault edit FILE$ansible-vault rekey FILE$ansible-vault encrypt_string 'val' --name 'k'$ansible-playbook --ask-vault-pass$--vault-password-file FILE$--vault-id label@source$vars_files: [secrets.yml]$group_vars/all/vault.yml$$ANSIBLE_VAULT;1.1;AES256$chmod 600 ~/.vault_passWhat does Ansible Vault protect, and how?
You need to run a playbook whose vars_files includes a vaulted file. What must you provide?
You want ONE encrypted value inside an otherwise-readable vars file. Which command?
What's the difference between `ansible-vault view` and `ansible-vault decrypt`?
These aren't graded β they're just for active recall, which is what actually makes the lesson stick.
Ansible error handling
Plays don't always go to plan. Learn block / rescue / always and failed_when to catch failures, run cleanup, and decide for yourself what "failed" even means.
keep going β these pair well with what you just learned.
Ansible control node & inventory
Ansible is agentless β one control node pushes work to a fleet over SSH. Install ansible-core, write an inventory with groups, ping the fleet, and fire ad-hoc commands. RHCE-ready.
Ansible playbooks & YAML
Plays, tasks, and idempotency. Watch a playbook run task-by-task β ok, changed, skipped β then run it again and watch everything go green with 0 changed. RHCE-ready.
Ansible core modules
file, user, copy, dnf, service β the modules that do the real work. Declare the desired state and let Ansible converge to it, idempotently. RHCE-ready.