Welcome back to “Back to the cloud” — your no-fluff guide to mastering DevOps, Cloud, and AI workflows, one skill at a time.
Last week we covered:
➡ Ansible Roles — Why and How to Use Them for Clean, Reusable Playbooks.
Missed it? Read it here.
🚨 Problem:
Hardcoding passwords in your playbooks is like taping your house key to the front door.
Plain text variables like this are risky:
vars:
db_password: supersecret123Anyone with access to your repo or logs can read it.
💡 Solution: Ansible Vault
Ansible Vault allows you to encrypt:
Variables
Files
Entire playbooks
…so your secrets stay safe — even in version control.
💻 How to Create an Encrypted File
1️⃣ Run this command:
ansible-vault create secrets.yml2️⃣ Enter your secure variables:
db_password: supersecret123
api_key: ABCD-1234-EFGH3️⃣ Save and exit.
This file is now encrypted!
🔓 How to View or Edit Encrypted Files
View:
ansible-vault view secrets.ymlEdit:
ansible-vault edit secrets.ymlRe-key:
ansible-vault rekey secrets.yml🚀 Using Vault Secrets in Playbooks
Reference the encrypted file like any normal vars file:
---
- name: Deploy App
hosts: webservers
vars_files:
- secrets.yml
tasks:
- name: Print DB password
debug:
msg: "Password is {{ db_password }}"Then run your playbook with:
ansible-playbook deploy.yml --ask-vault-passOr configure password-less vaults using environment variables or vault password files.
🏆 Pro Tip:
Always encrypt sensitive data before committing to Git —
Vault makes this safe and easy.
🎯 When to Use Vault?
Scenario | Use Vault? |
|---|---|
Passwords or API Keys | ✅ Yes |
Infrastructure Config (no secrets) | ❌ No |
Cloud Credentials | ✅ Yes |
Plaintext SSH Private Keys | ✅ Yes |
🔥 Next Week:
“How to Write Idempotent Ansible Tasks — Avoiding Common Mistakes.”
Learn how to write tasks that only change things when necessary.
💬 Question for You:
What’s your biggest challenge in handling secrets securely?
Reply and let me know — I might include your question in an upcoming guide!