When using ansible, alot of the time you would be deploying playbooks over ssh, if not that locally, but in this post we will talk about different ways to secure your credentials & ssh access. These boil down to three main approaches:
Assuming you are using password authentication (less preferable that public-private key authentication), you would need to set ansible_password, or/and ansible_become_password, the first method involves using ansible vault, the preferable method of securing ssh access credentials, in the first way, we will configure a file called secrets.yaml:
ansible_user: myuser
ansible_password: mysecurepassword
ansible_become_password: myrootpasswordYou then should encrypt secrets.yaml, using:
ansible-vault encrypt secrets.yml
Then reference them in your inventory.yaml:
all:
hosts:
myserver:
ansible_host: <ip of host>
ansible_user: "{{ ansible_user }}"
ansible_password: "{{ ansible_password }}"
ansible_become_password: "{{ ansible_become_password }}"Or you could skip that step and just encrypt your inventory.yaml directly. Now to run ansible with vault, simply run:
ansible-playbook playbook.yml --ask-vault-passOr if you need to specify a inventory file, do so like this:
ansible-playbook -i inventory.yml create_user.yml --ask-vault-passThis will ask you for the password you used to encrypt your playbook, enter it for it to be decrypted while running it.
Non-vault
In a non-ansible vault, which I do not recommend using, you can just skip the encryption, and just run the playbook with the inventory file, without encryption, with plaintext passwords and everything exposed.
Environment variables
This one is pretty niche, and still less secure than the vault unless you are setting environment varibles right as your running the playbook only for that command, but here is a example:
export ANSIBLE_USER=myuser
export ANSIBLE_PASSWORD=mysecurepassword
export ANSIBLE_BECOME_PASSWORD=myrootpassword^ this sets some example variables which will be used by inventory
all:
hosts:
myserver:
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}"
ansible_password: "{{ lookup('env', 'ANSIBLE_PASSWORD') }}"
ansible_become_password: "{{ lookup('env', 'ANSIBLE_BECOME_PASSWORD') }}"^ this is how you would reference them.
Finally if you want to use a private key file, you wont have much need for encrypting such a playbook, but ensure that you secure your private key file wherever you store it and use this varible: ansible_ssh_private_key_file, for setting the dir location.
Here is a comparison of the various methods and pros and cons:
| Method | Security Level | Ease of Use | Best Use Case |
|---|
| Ansible Vault | 🔒🔒🔒 High | Medium | Secure storage of credentials |
| Plaintext vars | 🚨 Low | Easy | Testing or non-sensitive data |
| Environment vars | 🔒 Medium | Medium | Temporary security improvement |
| SSH Key Auth | 🔒🔒🔒 High | Easy | Best for passwordless SSH |