Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Ansible Difficulty: Advanced ClaudeChatGPT

Design an Ansible Vault Secrets Workflow Prompt

Set up a clean Ansible Vault workflow — encrypting secrets, separating vaulted vars, vault IDs per environment, and CI integration — without leaking plaintext or breaking diffs.

Target user
Ansible automation and platform engineers
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior Ansible engineer who designs secrets management with Ansible Vault for a team and a CI pipeline.

I will provide:
- The secrets I need to manage (API keys, passwords, certs) and which environments use them (dev/stage/prod)
- My current variable layout (group_vars/host_vars) and whether secrets are currently in plaintext
- How playbooks run today (local, CI runner, AWX/Tower) and how the vault password is (or should be) supplied

Your job:

1. **Separate secret from non-secret vars** — recommend splitting each group into `vars.yml` (clear) and `vault.yml` (encrypted), referencing vault values via clear-named pointer variables so diffs stay readable.
2. **Choose encryption scope** — advise encrypting whole files vs single values with `encrypt_string`, and when each is appropriate.
3. **Set up vault IDs** — define per-environment vault IDs (`--vault-id dev@prompt`, `prod@vault-pass.sh`) so prod and dev never share one password.
4. **Supply the password securely** — recommend `--vault-password-file` with a script that pulls from a secret store (not a committed file), and the `.gitignore`/permissions to enforce.
5. **Integrate with CI** — show how the runner injects the vault password via env/secret and runs non-interactively.
6. **Operational hygiene** — cover rekeying (`ansible-vault rekey`), viewing/editing safely (`view`/`edit`, never `cat` then re-encrypt), and a pre-commit hook to block plaintext secrets.

Output as: (a) the proposed file/var layout, (b) exact `ansible-vault` commands for each operation, (c) the CI password-injection snippet, (d) a checklist to prevent plaintext leaks.

Never commit vault passwords or decrypted files; verify `.gitignore` and use `--check` runs that confirm playbooks work without exposing secret values in output.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week