🔐 Ansible Vault — How to Secure Secrets in Your Playbooks

Welcome back to “Back to the cloud” — your no-fluff guide to mastering DevOps, Cloud, and AI workflows, one skill at a time.

Last week we covered:
➡ Ansible Roles — Why and How to Use Them for Clean, Reusable Playbooks.
Missed it? Read it here.

🚨 Problem:

Hardcoding passwords in your playbooks is like taping your house key to the front door.

Plain text variables like this are risky:

vars:
  db_password: supersecret123

Anyone with access to your repo or logs can read it.

💡 Solution: Ansible Vault

Ansible Vault allows you to encrypt:

• Variables

• Files

• Entire playbooks

…so your secrets stay safe — even in version control.

💻 How to Create an Encrypted File

1️⃣ Run this command:

ansible-vault create secrets.yml

2️⃣ Enter your secure variables:

db_password: supersecret123
api_key: ABCD-1234-EFGH

3️⃣ Save and exit.
This file is now encrypted!

🔓 How to View or Edit Encrypted Files

• View:

ansible-vault view secrets.yml

• Edit:

ansible-vault edit secrets.yml

• Re-key:

ansible-vault rekey secrets.yml

🚀 Using Vault Secrets in Playbooks

Reference the encrypted file like any normal vars file:

---
- name: Deploy App
  hosts: webservers
  vars_files:
    - secrets.yml
  tasks:
    - name: Print DB password
      debug:
        msg: "Password is {{ db_password }}"

Then run your playbook with:

ansible-playbook deploy.yml --ask-vault-pass

Or configure password-less vaults using environment variables or vault password files.

🏆 Pro Tip:

Always encrypt sensitive data before committing to Git —
Vault makes this safe and easy.

🎯 When to Use Vault?

🔥 Next Week:

“How to Write Idempotent Ansible Tasks — Avoiding Common Mistakes.”
Learn how to write tasks that only change things when necessary.

💬 Question for You:

What’s your biggest challenge in handling secrets securely?
Reply and let me know — I might include your question in an upcoming guide!