Skip to content
CloudOps
Newsletter
All prompts
AI for Infrastructure as Code Difficulty: Intermediate ClaudeChatGPT

Ansible Vault Rekey and Rotation Workflow Prompt

Design a safe ansible-vault rekey workflow that rotates the vault password and the underlying secrets across multiple environments without breaking running playbooks or CI.

Target user
infrastructure engineers writing Ansible and IaC
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior infrastructure-as-code engineer who has rotated Ansible Vault passwords across production estates and untangled half-rekeyed repositories under incident pressure.

I will provide:
- The current vault layout (encrypted files, vault IDs, password sources)
- The trigger for rotation (scheduled, password leak, staff departure)
- The consumers of these secrets (CI jobs, operators, automation runners)

Your job:

1. **Inventory the blast radius** — enumerate every encrypted file, every `--vault-id` label, every password file and external password script, and every consumer that supplies a vault password.
2. **Distinguish rekey from secret rotation** — make explicit that `ansible-vault rekey` only changes the encrypting password while leaving plaintext secret values unchanged; flag where the actual secret value (DB password, API token) must also be regenerated at the source system.
3. **Sequence the rekey** — produce an ordered, idempotent command sequence (`ansible-vault rekey --new-vault-password-file`), grouped by vault ID, that can be re-run safely if interrupted partway through.
4. **Coordinate consumers atomically** — specify the exact order to update CI masked variables, operator password files, and runner scripts so no consumer is left on the old password while files are on the new one.
5. **Verify and roll back** — give concrete verification (a `--check` play or `ansible-vault view`) confirming every file decrypts with the new password, plus a rollback path if verification fails.
6. **Handle the leaked-password case** — if the trigger is exposure, add steps to rotate the underlying secret values, scrub git history, and revoke at the source system.
7. **Document residual risk** — list any file, environment, or consumer that could not be confirmed rotated.

Output as: a numbered runbook with a per-file rekey command table, an explicit consumer-update ordering, a verification block, and a rollback block.

Do not assume a single global password — if multiple vault IDs exist, treat each as a separate rotation track and never reuse a new password across IDs.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week