How to Secure Your Ansible Credentials Using Ansible Vault - A Network Engineer’s Guide

Automation shrinks change windows, but storing plain-text credentials in playbooks can undo every security win. Ansible Vault solves that problem with lightweight, AES-256 encryption baked straight into the Ansible CLI.

As a Network Automation Engineer, I've seen firsthand how automation can significantly reduce operational overhead and human error. Among all tools, Ansible stands out for its simplicity and agentless design, particularly valuable in automating network configurations across multivendor environments.

However, with great automation comes great responsibility — especially when handling device credentials and secrets. Storing plain-text passwords in playbooks or inventory files is a security risk you can’t afford. That’s where Ansible Vault comes in.

In this guide, I’ll walk you through securing your network automation projects using Ansible Vault, covering everything from basics to real-world examples for Cisco device management.

• What is Ansible Vault?
• Common Ansible Vault Operations
• How do I encrypt a Plain Password (Inline Variable)
• Decrypting a Specific Variable (for viewing only)
• How do I rotate or change a Vault password (Re-key)?
• Encrypting an Entire Device Credential File
• Example with Multiple Vault Files (Using --vault-id)
• How can I skip entering the Vault password every time?
• vars_prompt for One-Time Secrets
• Prompting for Vault Password During Execution
• Secure Backup Workflow Example
• Real Network Automation Example
• Best Practices Recap

What is Ansible Vault?

Ansible Vault is a built-in feature that encrypts sensitive data: passwords, API tokens, SSH keys, even entire config files. It uses strong AES-256 encryption to protect your secrets. By encrypting this sensitive info, Ansible Vault lets you:

• Keep your security practices solid.
• Use version control systems (like Git) without exposing plain-text secrets to anyone.
• Make it easier for teams to collaborate securely on automation projects.
• Help stay compliant with your organization's security policies.

Common Ansible Vault Operations

Ansible Vault hooks right into the ansible-vault command-line utility. Here are the key things you'll do with it:

How do I encrypt a Plain Password (Inline Variable)

To encrypt a single variable like a Cisco device password and paste it into an inventory or variable file:

ansible-vault encrypt_string 'Cisco123!' --name 'ansible_password'

Output:

ansible_password: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  3238656332383764626231343234633666666330623730653232353737633162
  3464323633626437373432386135636564663866313532390a38643063353866
  3266636134323933653562333661663433666639666630353331636431383033
  3736

Paste the above in group_vars/all/vault.yml or inside the inventory variable section.

Decrypting a Specific Variable (for viewing only)

If you're unsure what a variable contains, but don't want to decrypt the whole file:

Option 1: Use ansible-vault view

ansible-vault view group_vars/all/vault.yml

The mirrored command ansible-vault decrypt_string does the reverse of encrypt_string. It is really handy when you only need to reveal a single value for troubleshooting.

Option 2: Use ansible-vault decrypt temporarily

ansible-vault decrypt group_vars/all/vault.yml
ansible-vault encrypt group_vars/all/vault.yml # Re-encrypt

How do I rotate or change a Vault password (Re-key)?

Use this when you want to rotate your vault password for a file (security best practice):

ansible-vault rekey group_vars/all/vault.yml

You will be prompted for the old password and then asked to enter the new one.

Encrypting an Entire Device Credential File

Let’s say you have the following plain-text file creds.yml:

ansible_user: admin
ansible_password: Cisco123!
ansible_become_password: Enable456!

To encrypt this securely:

ansible-vault encrypt creds.yml

After encryption, trying to open it will show garbled encrypted text unless accessed via vault commands.

Tip: Pull once, lock once
Automate secret retrieval from AWS Secrets Manager (or HashiCorp Vault) and encrypt it in-flight:

ansible_password: >-
  

You can test these kinds of patterns instantly inside a CloudMyLab Ansible Instant Environment sandbox, validating your secret retrieval and encryption logic without complex local setups or risking production.

Example with Multiple Vault Files (Using --vault-id)

For bigger projects or environments with different security levels (like dev vs. production), you might want to keep secrets in separate vault files, each with its own password.
Say you have:

• vault-dev.yml (for test environment)
• vault-prod.yml (for production)

You can encrypt each with a distinct password, giving it a unique ID.

ansible-vault encrypt --vault-id dev@prompt vault-dev.yml
ansible-vault encrypt --vault-id prod@prompt vault-prod.yml

And run your playbook like:

ansible-playbook site.yml --vault-id dev@prompt --vault-id prod@prompt

How can I skip entering the Vault password every time?

Tired of --ask-vault-pass prompts? You may create Ansible vault password files. Store the password in a root-readable file and point Ansible at it or export an environment variable for CI runs.

1. Save the vault password in a file:

Create a file (e.g., vault-pass.txt) with only the vault password inside.

echo 'MyStrongPassword123!' > vault-pass.txt
chmod 600 vault-pass.txt

2. Run the playbook using that file:

ansible-playbook playbook.yml --vault-password-file vault-pass.txt

Make sure vault-pass.txt is added to .gitignore and not pushed to source control!

vars_prompt for One-Time Secrets

Need a temporary enable password during a maintenance window? Prompt the user and encrypt on the fly. The value is stored encrypted in memory—never in plain text.

vars_prompt:
  - name: "temp_enable_pass"
    prompt: "Enter one-time enable password"
    private: yes
    encrypt: "ansible-vault"

Prompting for Vault Password During Execution

If you prefer not to store passwords anywhere:

ansible-playbook playbook.yml --ask-vault-pass

You’ll be prompted securely at runtime.

Secure Backup Workflow Example

Network teams back up running-configs daily. Keep those backups encrypted end-to-end.

- name: Encrypt running-configs
  ansible.builtin.shell: |
    ansible-vault encrypt config_backups/.cfg
- name: Copy encrypted cfgs off-box
  copy:
    src: "config_backups/.cfg.vault"
    dest: "/mnt/secure-backup/"

Decrypt only when you need to restore:

ansible-vault decrypt /mnt/secure-backup/rtr1.cfg.vault

Real Network Automation Example

Let’s secure Cisco device credentials in an Ansible inventory and use them in a playbook.

Encrypted Variable File

Encrypt device credentials:

ansible-vault create group_vars/all/vault.yml

Content:

ansible_user: admin
ansible_password: Cisco123!
ansible_become_password: Enable456!

Need to load secrets from any encrypted file? Just add

vars_files:
  - vault.yml

to your playbook header and Ansible will decrypt it at runtime.

Inventory File (inventory.ini)

[core_switches]
10.10.10.1
10.10.10.2

[core_switches:vars]
ansible_connection=network_cli
ansible_network_os=ios
ansible_user=
ansible_password=
ansible_become=true
ansible_become_method=enable
ansible_become_password=

Playbook Example (playbook.yml)

---
- name: Backup running-config from Core Switches
  hosts: core_switches
  gather_facts: no
  tasks:
    - name: Fetch running-config
      ios_config:
        backup: yes

Run the Playbook

Using password prompt:

ansible-playbook -i inventory.ini playbook.yml --ask-vault-pass

Or using a file:

ansible-playbook -i inventory.ini playbook.yml --vault-password-file vault-pass.txt

Where Does This Matter? Quick Scenarios

• Production creds vs. lab creds – Separate vault files or IDs keep mistakes from leaking into prod.
• Off-device backups – Encrypt before shipping configs to remote storage.
• Ephemeral API tokens – Generate, encrypt, discard; never touch git.
• Tenant-by-tenant secrets – One vault file per customer when you run MSP style.

Best Practices Recap

• Always encrypt credentials and tokens.
• Use --vault-id for environment-specific secrets.
• Never commit vault passwords—CI uses ANSIBLE_VAULT_PASSWORD_FILE.
• Add no_log: true on any task that handles plaintext.
• Rotate Vault passwords (ansible-vault rekey) on a schedule.
• Share encrypted files, never plaintext ones.
• Combine Vault with group_vars, vars_files, and clean inventory structure for readability.
• Tag secret-handling tasks with no_log: true so plaintext never hits your logs.
• Follow the best practices for writing Ansible playbooks.
• For larger teams, you may integrate HashiCorp Vault with Ansible or use Ansible Tower’s credential store for seamless GUI‑managed vault passwords.

Read more: Ansible setup step-by-step

Test Every Ansible Playbook Safely, Before It Hits Production

As network engineers transition deeper into infrastructure automation, securing credentials becomes a non-negotiable part of the workflow. Ansible Vault offers a robust yet flexible way to keep secrets safe while still benefiting from Git versioning, collaboration, and playbook reuse.

Whether you're rolling out configs to hundreds of routers, managing device passwords in live production, or securely backing up your network configurations, Vault helps you automate securely and responsibly. Mastering Ansible Vault is an essential skill for any network automation engineer aiming to build reliable, secure, and scalable automation solutions.

Automation shouldn’t be trial and error in a live production environment. This is where CloudMyLab bridges the gap, providing:
✔ Hands-on lab environments to test Ansible Automation Platform in real-world conditions.
✔ Proof of Concept labs to validate automation workflows before deployment.
✔ Enterprise-ready scalability without the need for costly on-premise infrastructure.

💡 Why risk automation errors in production when you can test in a safe, enterprise-grade sandbox?

🔹 Start your automation journey today with CloudMyLab’s Ansible lab environments.
🔹 Sign up for a free trial and take your automation strategies from theory to reality.

Learning Resources

Here are some helpful resources for learning more about Ansible:

• Ansible Documentation: https://docs.ansible.com/
• Official Ansible labs by Red Hat: https://www.redhat.com/en/interactive-labs/ansible
• Ansible Forum: https://forum.ansible.com/
• Ansible Modules Types Explained
• Ansible's Execution Environments
• Ansible CLI vs. Ansible Automation Platform Guide
• Master Ansible Navigator

FAQ

How can I skip entering the Vault password every time I run a playbook?

Save the password in a file (e.g., vault-pass.txt) with restricted permissions (chmod 600 vault-pass.txt) and use ansible-playbook --vault-password-file vault-pass.txt. For CI/CD, export the ANSIBLE_VAULT_PASSWORD_FILE environment variable.

How do I store unique DB passwords for every user in roles?

You can put per-user YAML files under group_vars/db_users/ (if db_users is a group) and encrypt each file with Vault. In your role, you could then use lookups (e.g., lookup('vars', inventory_hostname + '_db_pass')) to fetch the specific password for each host.

Does AWX support “Ansible Vault” as a custom Credential Type?

Yes—create a new Credential Type that exposes vault_password as a field and reference it in job templates. AWX injects the variable so you can drop --ask-vault-pass entirely.

ask_vault_pass = true breaks ansible-lint. Now what?

Yes. Ansible Automation Platform, including AWX, has native support for Ansible Vault. You create a "Credential Type" within AWX/AAP that exposes a field for the vault password, which is then securely injected at runtime.

How do I load an encrypted file without group_vars?

Add it straight to a playbook header:

vars_files:
  - vault.yml # decrypted at runtime

What happens if I lose the vault password?

There's no recovery mechanism if you lose your Ansible Vault password. The encrypted data can't be decrypted without it. You'd have to restore secrets from a secure backup or just regenerate them. This really highlights why you need to manage your vault passwords securely.

Can I encrypt file names as well as contents?

Ansible Vault only encrypts the contents of files. It doesn't encrypt filenames or directory structures. If filename secrecy is critical, you might need to combine Vault with other tools like git-crypt or sops.

Does Vault work with AWX / AAP?

Yes. Ansible Automation Platform (AAP), including AWX, has native support for Ansible Vault. You create a "Credential Type" within AWX/AAP that exposes a field for the vault password, which is then securely injected at runtime.