Skip to content

Using Ansible Vault

All non-development environments need to be shared with your colleagues, so they can perform updates and maintenance on the environment as well.

To prevent secrets from existing plain-text in Git repositories, we use ansible-vault to encrypt them in a way that is native to Ansible.

By default, the SSH private key and Ansible's sensitive_vars.yml are stored encrypted. The password to decrypt them is stored in 1Password. We use GETRECT tooling to wrap the retrieval of the password from your 1Password account.

If you want to encrypt more sensitive content, you can execute the following command (from within the ansible directory): ansible-vault encrypt <filename>.

If you need to edit already encrypted content , you can execute the following command (from within the ansible directory): ansible-vault edit <filename>.