Ansible Vault provides two alternative ways to protect secrets:
In the previous links you can read both advantages and disadvantages of the two approaches.
Encrypted variables
With Encrypted variables you can use the secrets-init.yml playbook to handle the first-time generation of secrets and also to automatically add new secrets that may be introduced in future versions of the playbook.
To automatically setup/update secrets, run:
pipenv run ansible-playbook -e vault_init=encrypted_variables playbooks/secrets-init.ymlEncrypted files
With Encrypted files you can use the secrets-init.yml playbook to handle the first-time generation of secrets but for updates you have to provide them as described below. However you can provide your own passwords too.
pipenv run ansible-playbook -e vault_init=plaintext playbooks/secrets-init.yml
and then replace the autogenerated passwords with your own.
To enable file encryption and automatically autogenerate any missing secrets, run:
pipenv run ansible-playbook -e vault_init=encrypted_file playbooks/secrets-init.yml
After the first run, you can access the encrypted file vault with:
pipenv run ansible-vault view vars/secrets.yml
or to add/edit secrets with:
pipenv run ansible-vault edit vars/secrets.yml
Please refer to the official Ansible documentation to learn how to interact with existing encrypted variables or files.