Ansible Vault Secrets Management Prompt

You are a senior Ansible engineer who has migrated production secrets from plain YAML to Ansible Vault and integrated with external secret managers.

I will provide:
- The secrets in question
- Current state (plain, vault, mixed)
- Goal (encrypt / rotate / migrate to external)

Your job:

1. **Vault basics**:
   - `ansible-vault encrypt` / `decrypt` files
   - `ansible-vault edit` for in-place
   - Password via prompt, file, or external script
   - Run with `--ask-vault-pass` or `--vault-password-file`
2. **For vault IDs**:
   - Multiple vault passwords (per env)
   - `--vault-id prod@~/.vault/prod` `--vault-id dev@~/.vault/dev`
   - Encrypted with ID label
3. **For encrypted vars (in-file)**:
   - `ansible-vault encrypt_string` for single value
   - YAML supports `!vault` tagged strings
4. **For encrypted files**:
   - Whole files encrypted
   - `group_vars/prod/vault.yml` pattern
5. **For password sources**:
   - File: `--vault-password-file ~/.vault/key`
   - Script: returns password (e.g., from HSM)
   - Prompt: interactive
6. **For rotation**:
   - `ansible-vault rekey <file>` — change password
   - Doesn't change underlying secret values
7. **For external integration**:
   - HashiCorp Vault: `community.hashi_vault.hashi_vault` lookup
   - AWS Secrets Manager: `amazon.aws.aws_secret` lookup
   - Pull at runtime; Ansible Vault only for keys/passwords
8. **For CI/CD integration**:
   - Vault password as masked CI variable
   - Or external secret manager
   - Never commit passwords

Mark DESTRUCTIVE: committing vault password to git, sharing password across teams, rotating without coordinating consumers.

---

Secrets: [DESCRIBE]
Current state: [DESCRIBE]
Goal: [DESCRIBE]

Why this prompt works

Secrets at rest are foundational. This prompt walks Vault patterns.

How to use it

1. Encrypt sensitive files.
2. Use vault IDs for multi-env.
3. Store password securely.
4. External manager for production scale.

Useful commands

# Encrypt a file
ansible-vault encrypt secrets.yml

# Decrypt for inspection
ansible-vault view secrets.yml

# Edit (decrypt in editor, re-encrypt on save)
ansible-vault edit secrets.yml

# Encrypt single string
ansible-vault encrypt_string 'mysecret' --name 'db_password'

# Run playbook
ansible-playbook site.yml --ask-vault-pass
ansible-playbook site.yml --vault-password-file ~/.vault/key

# Multi-vault
ansible-playbook site.yml \
    --vault-id prod@~/.vault/prod \
    --vault-id dev@~/.vault/dev

# Rekey
ansible-vault rekey secrets.yml

# Rotate (decrypt with old, encrypt with new)
ansible-vault rekey secrets.yml --new-vault-password-file ~/.vault/new-key

Patterns

Group-vars pattern

inventories/
├── production/
│   ├── hosts.yml
│   └── group_vars/
│       └── all/
│           ├── vars.yml         # plain settings
│           └── vault.yml        # encrypted secrets

# inventories/production/group_vars/all/vars.yml (plain)
mysql_user: app_user
mysql_password: "{{ vault_mysql_password }}"

# inventories/production/group_vars/all/vault.yml (encrypted)
vault_mysql_password: "actual_secret_here"

ansible-vault encrypt inventories/production/group_vars/all/vault.yml

Multi-vault by environment

# Per-env vault passwords
echo "prod-password" > ~/.vault/prod
echo "dev-password" > ~/.vault/dev
chmod 600 ~/.vault/*

# Encrypt with specific vault ID
ansible-vault encrypt --vault-id prod@~/.vault/prod inventories/production/group_vars/all/vault.yml
ansible-vault encrypt --vault-id dev@~/.vault/dev inventories/dev/group_vars/all/vault.yml

# Run
ansible-playbook site.yml \
    --vault-id prod@~/.vault/prod \
    --vault-id dev@~/.vault/dev \
    -i inventories/production

Encrypted string in vars file

# vars/main.yml
db_password: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  31333031323031343034626635303339363438...
  6464626532383130373533396432663366626264...

CI/CD pattern (vault password as variable)

# .gitlab-ci.yml
deploy:
  variables:
    ANSIBLE_VAULT_PASSWORD: $ANSIBLE_VAULT_PASSWORD   # GitLab masked variable
  script:
    - echo "$ANSIBLE_VAULT_PASSWORD" > /tmp/vault-pass
    - chmod 600 /tmp/vault-pass
    - ansible-playbook site.yml --vault-password-file /tmp/vault-pass
    - rm -f /tmp/vault-pass

External secret manager (Vault) lookup

- name: Fetch from HashiCorp Vault
  hosts: web
  vars:
    db_password: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/db:password url=https://vault.example.com') }}"
  tasks:
  - name: Use secret
    template:
      src: app.conf.j2
      dest: /etc/app.conf

Common findings this catches

• Vault password committed → rotate; scrub history.
• Mixed env-vault one password → split per env.
• Cleartext secret in playbook → encrypt.
• External lookup fails offline → fallback or cache.
• Rekey didn’t update CI variable → coordinate.
• Backup not maintained → schedule.
• Multiple maintainers same password → migrate to IdP-backed.

When to escalate

• Password compromise — incident response.
• Migration to external SM — strategic.
• Cross-team vault strategy — coordinate.