Docker with Ansible Part III : use vault to encrypt sensitive informations

Thanks to Ansible you will be able to use Vaults to encrypt and hide passwords in your configuration files.

This is the last post in a series of 3 articles about Docker and Ansible:
Part I: from Docker Compose to Ansible
Part II: using variables
Part III: using vault to encrypt sensitive information

Create your vault

In order to create your vault :

$ ansible-vault create vault.yml
New Vault password:
Confirm New Vault password:

This will open your text editor.

Add your variable that be encrypted :

mysql_db_root_password: "secret_root"
mysql_db_password: "secret_user"

Put your vault in your playbook

We can use the playbook that we create in the previous post, but we will delete the mysql_db_password and mysql_db_root_password from the file and include the vault.yml :

---
- hosts: localhost

  vars_files:
    - vault.yml

  vars:
    docker_network: network_app
    mysql_db_name: db
    mysql_db_user: ghost
    mysql_db_host: db

  tasks:
  [...]        
  - name: Run Percona container
    docker_container:
      name: 'percona'
      recreate: true
      restart_policy: unless-stopped
      image: 'percona:latest'
      volumes:
        - "percona:/var/lib/mysql"
      env:
        MYSQL_ROOT_PASSWORD: "{{ mysql_db_root_password }}"
        MYSQL_DATABASE: "{{ mysql_db_name }}"
        MYSQL_USER: "{{ mysql_db_user }}"
        MYSQL_PASSWORD: "{{ mysql_db_password }}"
      networks:
        - name: "{{ docker_network }}"

And launch the playbook :

$ ansible-playbook deploy.yml --ask-vault-pass
Vault password:

That's it, now we have the sensitive information encrypted in the vault.yml.

Ressources

https://docs.ansible.com/ansible/latest/user_guide/vault.html

Feel free to correct me if you see any typo or if something seems wrong to you.
You can send me an email or comment below.

Picture : Micah Williams