Before the release of Ansible 2.3, secure data had to be encrypted in a separate file. For the reasons we discussed earlier, it is desirable to encrypt as little data as possible. This is now possible (and also saves the need for too many individual files as part of a playbook) through the use of the encrypt_string subcommand of ansible-vault, which produces an encrypted string that can be placed into an Ansible YAML file. Let's start with the following basic playbook as an example:
---
- name: inline secret variable demonstration
hosts: localhost
gather_facts: false
vars:
my_secret: secure_password
tasks:
- name: print the secure variable
debug:
var: my_secret
When we run the preceding code, it should work as shown in the following screenshot:
Now, obviously, it is not clever to leave a secure password in plain text like this. So, rather than leave it like this, we will encrypt it using the encrypt_string subcommand of ansible-vault, as follows:
So, if we wanted to create an encrypted block of text for our variable called my_secret with the encrypted string secure_password, using the test Vault ID and the password.sh script we created earlier for the password, we would run the following:
We can now copy and paste that output into our playbook, ensuring our variable is no longer human-readable, as shown in the following screenshot:
However, when we run the preceding while specifying the appropriate --vault-id, the information can be accessed just as any other Vault data can, as shown in the following screenshot:
Note that the playbook runs exactly as it did the first time we tested it, when all the data was open for the world to see. Now, however, we have successfully mixed our encrypted data with an otherwise unencrypted YAML playbook. Next, we will delve deeper into some of the operational aspects of running playbooks in conjunction with Ansible Vault.