Post

Ansible Series Part 3 | Ansible Vault

Learn how to use Ansible Vault to securely manage secrets in your playbooks.

Posted Updated
Photo by Markus Spiske on Unsplash
Photo by Markus Spiske on Unsplash
By Sven van Ginkel
1 min read
Ansible Series Part 3 | Ansible Vault

Storing API keys, tokens, and passwords in your playbooks isn’t safe—especially if you keep your Ansible project in version control. That’s where Ansible Vault comes in. It lets you encrypt sensitive variables while still using them like any other part of your automation.

In this third part of the series, I’ll show you how I use Vault to securely manage secrets in my homelab setup. In this example, we’ll use Vault to store a Tailscale auth key, which one of my roles uses to authenticate a server into my private Tailscale network.

Suggested Directory Structure

Here’s how I structure my group variables folder:

1
2
3

group_vars/
├── all.yml          # (optional) public/global variables
└── vault.yml        # encrypted secrets (Vault protected)

Create the Vault File

Create an encrypted file for your secrets:

1

ansible-vault create group_vars/vault.yml

When the editor opens, enter something like:

1

tailscale_auth_key: "tskey-REPLACE_ME"

Then save and close the editor. The file is now encrypted and safe to commit (if you’re careful with your vault password).

Use the Vault Variable in a Playbook

You can now use the secret just like any other variable:

1
2
3

- name: Authenticate with Tailscale
  ansible.builtin.command: >
    tailscale up --authkey

Ansible will automatically load variables from group_vars/.

Run the Playbook with Vault

Once you’ve encrypted your secrets with Ansible Vault, you can run your playbook securely by providing the vault password at runtime:

1

ansible-playbook playbooks/tailscale.yml --ask-vault-pass

This command will prompt you for the vault password before executing the playbook, ensuring your secrets are decrypted only when needed.

Editing or Updating the Vault

To edit your encrypted file later:

1

ansible-vault edit group_vars/vault.yml

To change the vault password:

1

ansible-vault rekey group_vars/vault.yml

Git Ignore Vault Files

Add this to your .gitignore file to prevent secrets from being committed:

group_vars/vault.yml

Recap

In this post, you:

  • Learned what Ansible Vault is and why it matters
  • Created an encrypted secrets file
  • Used Vault variables in a real playbook
  • Ran a playbook securely with password or file-based vault access
  • Updated your .gitignore to protect sensitive data

You can find the full source for my setup on GitHub

Automation
ansible secrets
This post is licensed under CC BY 4.0 by the author.