Vault Passwords
Storing and using Ansible Vault credentials at execution time.
What is Ansible Vault?
Ansible Vault encrypts sensitive variables inside playbooks and variable files. SculptOps lets you store the vault password securely so authorized runs can decrypt those variables without retyping the password each time.
Adding a vault password
Go to Settings - Vault Passwords - Add vault password. Give it a descriptive name and enter the password. It is stored encrypted in the database using the same encryption mechanism as SSH keys.
ENCRYPTION_KEY, stored vault passwords cannot be recovered.Using vault passwords in runs
When running a playbook that contains encrypted variables, select the appropriate vault credential in the run dialog. SculptOps makes the credential available only for the duration of the isolated Ansible execution.
Encrypting variables for use with SculptOps
You can encrypt variables locally with the Ansible CLI before pasting them into your playbook:
# Encrypt a single value
ansible-vault encrypt_string 'replace-me' --name 'db_password'
# Encrypt an entire file
ansible-vault encrypt group_vars/production/secrets.ymlVault in workflows and schedules
Vault credentials selected for a workflow step or schedule are saved as references. The credential value itself remains encrypted and is resolved at execution time.