Ansible Vault

Securely manage secrets using Ansible Vault.

Projects: c2platform/ansible, c2platform/rws/ansible-gis

This guide will help you effectively utilize Ansible Vault to protect sensitive information and securely manage secrets within your Ansible projects.


In C2 Platform Ansible configuration/playbook projects, the default approach is to use Ansible Vault. In the development environment, which is based on Vagrant,using Ansible Vault is not strictly necessary since the configuration/playbook project for development is typically open source with no real secrets as part of the ODM / OSS approach. However, it is still recommended. Refer to the Secrets for more information.

Examples can be found in the Ansible configuration/playbook projects: c2platform/ansible, c2platform/rws/ansible-gis.

When using Vagrant, a default file named vpass is automatically created with the contents secret ( see the Vagrantfile for details). The vpass file is then used by Ansible. The configuration for this behavior is set in the ansible.cfgfile with the following line:


To edit the vault, use the following command:

ansible-vault edit secret_vars/development/main.yml

Other environments

In other environments than development the vpass file is of course not used. In these environments, the secrets and their configuration are managed using the Red Hat Automation Platform (AAP) or AWX web interface.

The command to edit the vault remains the same. From the root of the Ansible configuration/playbook, run the following command:

ansible-vault edit secret_vars/<environment>/main.yml

Ansible Vault CLI

To create, decrypt, edit, or view vaults, you can access the Ansible Vault CLI help by running the command:

ansible-vault -h