This content originally appeared on DEV Community and was authored by Athreya aka Maneshwar
Hello, I’m Maneshwar. I’m building LiveReview, a private AI code review tool that runs on your LLM key (OpenAI, Gemini, etc.) with highly competitive pricing — built for small teams. Do check it out and give it a try!
When working with infrastructure automation using Ansible, you often need to handle sensitive information like database passwords, API keys, or SSH keys.
Storing these in plain text is risky and not recommended.
That’s where Ansible Vault comes in — it lets you encrypt your secrets safely.
What is Ansible Vault?
Ansible Vault is a feature that allows you to encrypt and decrypt files, variables, or strings. This ensures your secrets are protected even if your code is stored in version control like Git.
1. Creating a Vault File
To store secrets in a separate file:
ansible-vault create secret.yml
You’ll be prompted to set a password. After that, an editor opens where you can add your secrets in YAML format:
db_password: supersecret123
api_key: abcdef123456
2. Editing an Existing Vault
To update or add new secrets:
ansible-vault edit secret.yml
You’ll need the vault password to open the file.
3. Using Vault Variables in a Playbook
You can include vault files like any other variable file:
- hosts: all
vars_files:
- secret.yml
tasks:
- name: Show DB password
debug:
msg: "The DB password is {{ db_password }}"
4. Running Playbooks with Vault
When running playbooks that use vault files, you must provide the vault password:
ansible-playbook playbook.yml --ask-vault-pass
Or you can use a password file:
ansible-playbook playbook.yml --vault-password-file /path/to/password_file
5. Encrypting Individual Variables
Sometimes you want to encrypt a single variable inline:
ansible-vault encrypt_string 'supersecret123' --name 'db_password'
This outputs an encrypted block that you can paste directly into your playbook or variable file:
db_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
61346362613364333462346262346163...
Best Practices
- Keep your vault password secure and separate from code.
- Use separate vault files for different environments (dev, staging, production).
- Avoid committing unencrypted secrets to version control.
- For automation, use a vault password file with restricted access.
Conclusion
Ansible Vault is a simple but powerful way to manage sensitive information in your automation workflows.
By encrypting secrets, you can safely store them alongside your playbooks without compromising security.
LiveReview helps you get great feedback on your PR/MR in a few minutes.
Saves hours on every PR by giving fast, automated first-pass reviews.
If you’re tired of waiting for your peer to review your code or are not confident that they’ll provide valid feedback, here’s LiveReview for you.
This content originally appeared on DEV Community and was authored by Athreya aka Maneshwar