Prevent Unencrypted Ansible Vaults from Being Pushed to Git
·5 mins
Ansible Vault is a nice tool that allows you to store sensitive data (such as passwords and application secrets) securely along with your Ansible Playbooks, so you have all your configuration in a single place. Obviously, you don’t want to store unencrypted secrets in your repository, so that’s why Ansible Vault encrypts them with AES-256 encryption by default.
However, a big drawback is that it can easily happen that people forget to re-encrypt the vault file after editing it. You can argue that this shouldn’t happen if you use the ansible-vault edit command: this decrypts the file, opens it in your default editor (based on the $EDITOR environment variable), and takes care of re-encrypting it for you when you’re done editing. When making a lot of changes though, it can be easier to decrypt it with ansible-vault decrypt, load it in your favorite GUI editor, and the manually re-encrypt it when done. Unfortunately, in this case, no one will remind you to perform the last step. Everything will continue to work just fine. This is because your vault is just a regular YAML file that Ansible will accept as a source of configuration variables—encrypted or not.