devopsbasic: Ansible 19. vault example

Let see a demonstration for ansible vault
1. Create a sample file that store credentials
[oracle@oel01db playbooks]$ cat app_cred.yaml
username: admin
password: Welcome123
[oracle@oel01db playbooks]$
[oracle@oel01db playbooks]$ ansible-vault --help
usage: ansible-vault [-h] [--version] [-v]
{create,decrypt,edit,view,encrypt,encrypt_string,rekey}
...
encryption/decryption utility for Ansible data files
positional arguments:
{create,decrypt,edit,view,encrypt,encrypt_string,rekey}
create Create new vault encrypted file
decrypt Decrypt vault encrypted file
edit Edit vault encrypted file
view View vault encrypted file
encrypt Encrypt YAML file
encrypt_string Encrypt a string
rekey Re-key a vault encrypted file

optional arguments:
--version show program's version number, config file location,
configured module search path, module location,
executable location and exit
-h, --help show this help message and exit
-v, --verbose verbose mode (-vvv for more, -vvvv to enable
connection debugging)

See 'ansible-vault <command> --help' for more information on a specific
command.
[oracle@oel01db playbooks]$
2. Encrypt the file.
[oracle@oel01db playbooks]$ ansible-vault encrypt app_cred.yaml
New Vault password:
Confirm New Vault password:
Encryption successful
[oracle@oel01db playbooks]$ cat app_cred.yaml
$ANSIBLE_VAULT;1.1;AES256
32633731353634343962393230623538383338316536303338363834366162383762323464393165
3439326662313430363239333966313066323431663864660a363064303163313465376264643337
39663231306164386665646430303333393737663762653336313333333230666531306630643739
6135343366626636380a303663666362323536333130313766333839313536376630363930663132
64333264303236336466613034376664626366336364646364386434303239383964346537313065
3962363632343335303531306663383766353366333532663739
[oracle@oel01db playbooks]$
3. Decrypt the file
[oracle@oel01db playbooks]$ ansible-vault decrypt app_cred.yaml
Vault password:
Decryption successful
[oracle@oel01db playbooks]$ cat app_cred.yaml
username: admin
password: Welcome123
[oracle@oel01db playbooks]$
4. Encrypt it again

Once we decrypt the file, we must encrypt it again. During re-encryption, we can also update the credentials if required, so effectively it is like creating a newly encrypted file.

[oracle@oel01db playbooks]$ cat app_cred.yaml
username: admin
password: Welcome12345
[oracle@oel01db playbooks]$
[oracle@oel01db playbooks]$ ansible-vault encrypt app_cred.yaml
New Vault password:
Confirm New Vault password:
Encryption successful
[oracle@oel01db playbooks]$ cat app_cred.yaml
$ANSIBLE_VAULT;1.1;AES256
31633866353331633135343538656630656564386234383162663538626563623032316439353764
3466336339656664306436623737626165383235316161390a333333393635643132373763663432
32643539343332363662646537366533383263396531336230643435653263646562626638666231
3662396434336363330a653439653666373566363863373063313439333235623666343964373930
38613531356563633834393734303363353138643734363261313737356530323061373766626364
3130373039373934323531643963393631383333663636323239
[oracle@oel01db playbooks]$

How to create vault directly without creating file first

[oracle@oel01db playbooks]$ ansible-vault create my_new_cred.yaml
New Vault password:
Confirm New Vault password:

it will open up a new file , add your secret and then save it

[oracle@oel01db playbooks]$ cat my_new_cred.yaml
$ANSIBLE_VAULT;1.1;AES256
35336236393034346133393763313961346238306531356439663238346538616236303832666539
3931363962373832366464316262626164336430323866660a323830613834373032633437396233
33373064376237303136326466623536373866376132343162346463633037643530386430373231
6264306137646133390a386562643831393665323232636639623132303534663665343365356338
35313264373037643266636463616335363765303138393034343864313239306634373739323065
6461393039623838316334386462653132333633353439613132
[oracle@oel01db playbooks]$

A real use case for Oracle DBA

oelggvm01 is a db server where my oracle database runs.

[oracle@oel01db inventory]$ cat hosts
[db_servers]
oelggvm01
[oracle@oel01db inventory]$

I would like to run some command by connecting as system user

For example , something like below

[oracle@oelggvm01 gg_home1]$ sqlplus system@OGGDB

SQL*Plus: Release 19.0.0.0.0 - Production on Sat Dec 13 21:23:02 2025
Version 19.28.0.0.0

Copyright (c) 1982, 2025, Oracle. All rights reserved.

Enter password:
Last Successful login time: Sat Dec 13 2025 21:00:12 +05:30

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.28.0.0.0

SQL> alter system set db_recovery_file_dest_size=20G scope=both;

1. Create a secret file for storing system password

[oracle@oel01db playbooks]$ cat oracle-system-secret-vault.yml
db_system_password: Welcome999
[oracle@oel01db playbooks]$
[oracle@oel01db playbooks]$ ansible-vault encrypt oracle-system-secret-vault.yml
New Vault password:
Confirm New Vault password:
Encryption successful
[oracle@oel01db playbooks]$
[oracle@oel01db playbooks]$ cat oracle-system-secret-vault.yml
$ANSIBLE_VAULT;1.1;AES256
31303037386138623231653539613261653731313531356134643661333666303866333362373037
6138663462383031383462663763363036326139633934340a316534363936333564353230623962
30626234316164353463353165346262346365356262643265373136396332353534356138633562
6139383930633936360a333334383162316539323165333831313236343833343739663430313266
32323361616237643232323735653333666461663439666138373231616262306565
[oracle@oel01db playbooks]$

2. Create a playbook that will utilize the vault file.

[oracle@oel01db ansible-project]$ cat ./playbooks/vault-demo-oracle.yml
- name: Oracle DB task to alter FRA and verify
hosts: db_servers
vars_files:
- oracle-system-secret-vault.yml

tasks:
- name: Alter FRA size and show new value
shell: |
# 1. Fix: Use ORAENV_ASK and set ORACLE_SID
export ORACLE_SID=OGGDB
export ORAENV_ASK=NO
. /usr/local/bin/oraenv

# 2. Execute both commands in sqlplus
sqlplus -S system/{{ db_system_password }}@OGGDB <<EOF
alter system set db_recovery_file_dest_size=30G scope=both;
show parameter db_recovery_file_dest_size;
exit
EOF
register: db_output # Capture the output

- name: Display the verification output
debug:
msg: "{{ db_output.stdout_lines }}"
[oracle@oel01db ansible-project]$

Run the playbook providing the vault password interactively.

[oracle@oel01db ansible-project]$ ansible-playbook -i ./inventory/hosts ./playbooks/vault-demo-oracle.yml --ask-vault-pass
Vault password:

PLAY [Oracle DB task to alter FRA and verify] *********************************************************

TASK [Gathering Facts]
ok: [oelggvm01]

TASK [Alter FRA size and show new value]
changed: [oelggvm01]

TASK [Display the verification output]
ok: [oelggvm01] => {
"msg": [
"The Oracle base has been set to /u01/app/oracle",
"",
"System altered.",
"",
"",
"NAME\t\t\t\t TYPE\t VALUE",
"------------------------------------ ----------- ------------------------------",
"db_recovery_file_dest_size\t big integer 30G"
]
}

PLAY RECAP
oelggvm01 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Run the playbook by reading the vault password from a file.

[oracle@oel01db ansible-project]$ vi ~/.vault_pass
[oracle@oel01db ansible-project]$
[oracle@oel01db ansible-project]$ cat ~/.vault_pass
oracle
[oracle@oel01db ansible-project]$ ansible-playbook -i ./inventory/hosts ./playbooks/vault-demo-oracle.yml --vault-password-file ~/.vault_pass

PLAY [Oracle DB task to alter FRA and verify] *

TASK [Gathering Facts]
ok: [oelggvm01]

TASK [Alter FRA size and show new value]
changed: [oelggvm01]

TASK [Display the verification output]
ok: [oelggvm01] => {
"msg": [
"The Oracle base has been set to /u01/app/oracle",
"",
"System altered.",
"",
"",
"NAME\t\t\t\t TYPE\t VALUE",
"------------------------------------ ----------- ------------------------------",
"db_recovery_file_dest_size\t big integer 30G"
]
}

PLAY RECAP ********************
oelggvm01 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

[oracle@oel01db ansible-project]$

Don't hardcore database name - get the value when playbook run

[oracle@oel01db ansible-project]$ cat ./playbooks/vault-demo-oracle-2.yml
- name: Oracle DB task to alter FRA and verify (Dynamic SID)
hosts: db_servers
vars_files:
- oracle-system-secret-vault.yml

tasks:
- name: 1. Get the primary ORACLE_SID from /etc/oratab
# This command finds the first SID entry in /etc/oratab that is set to auto-start (Y or A)
# and extracts just the SID name.
shell: |
ps -ef | grep 'ora_smon' | grep -v grep | awk -F_ '{print $3}'
register: oratab_sid_result
changed_when: false # This task is just for gathering info

- name: 2. Set the ORACLE_SID variable for use in later tasks
set_fact:
dynamic_oracle_sid: "{{ oratab_sid_result.stdout | trim }}"

- name: 3. Alter FRA size and show new value using dynamic SID
# Use the dynamically set variable 'dynamic_oracle_sid'
shell: |
export ORACLE_SID={{ dynamic_oracle_sid }}
export ORAENV_ASK=NO
. /usr/local/bin/oraenv

# Execute both commands in sqlplus
sqlplus -S system/{{ db_system_password }}@{{ dynamic_oracle_sid }} <<EOF
alter system set db_recovery_file_dest_size=50G scope=both;
show parameter db_recovery_file_dest_size;
exit
EOF
register: db_output

- name: 4. Display the verification output
debug:
msg: "Verified FRA size for SID {{ dynamic_oracle_sid }}: {{ db_output.stdout_lines }}"
[oracle@oel01db ansible-project]$
[oracle@oel01db ansible-project]$ ansible-playbook -i ./inventory/hosts ./playbooks/vault-demo-oracle-2.yml --vault-password-file ~/.vault_pass

PLAY [Oracle DB task to alter FRA and verify (Dynamic SID)] *

TASK [Gathering Facts] ********************************
ok: [oelggvm01]

TASK [1. Get the primary ORACLE_SID from /etc/oratab] *
ok: [oelggvm01]

TASK [2. Set the ORACLE_SID variable for use in later tasks]
ok: [oelggvm01]

TASK [3. Alter FRA size and show new value using dynamic SID] *
changed: [oelggvm01]

TASK [4. Display the verification output] *
ok: [oelggvm01] => {
"msg": "Verified FRA size for SID OGGDB: [u'The Oracle base has been set to /u01/app/oracle', u'', u'System altered.', u'', u'', u'NAME\\t\\t\\t\\t TYPE\\t VALUE', u'------------------------------------ ----------- ------------------------------', u'db_recovery_file_dest_size\\t big integer 50G']"
}

PLAY RECAP ******************************************************************************************************************
oelggvm01 : ok=5 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

[oracle@oel01db ansible-project]$

Please note, above playbook only works for server with only one db instance running.

Why can't we define oratab_sid_result.stdout result using a var , Why we need set_fact ?

You cannot directly use `oratab_sid_result.stdout` in `vars:` because:

`vars:` are evaluated before any tasks run,
while `oratab_sid_result.stdout` only exists after the task executes.

That’s why `set_fact` is needed.
`vars:` = static (known before execution)
`register` = captures command output
`set_fact` = converts runtime output into a reusable variable
For example below won't work:
- name: 1. Get the primary ORACLE_SID from /etc/oratab
shell: |
ps -ef | grep 'ora_smon' | grep -v grep | awk -F_ '{print $3}'
register: oratab_sid_result
changed_when: false
vars:
dynamic_oracle_sid: "{{ oratab_sid_result.stdout }}"
❌ Why this does NOT work

Because task-level vars: are evaluated before the task executes.

At the moment Ansible evaluates:


dynamic_oracle_sid: "{{ oratab_sid_result.stdout }}"

👉 The task has not run yet
👉 oratab_sid_result does not exist
👉 Result: undefined variable (or empty / skipped)

devopsbasic

Friday, 12 December 2025

Ansible 19. vault example

Because **task-level `vars:` are evaluated before the task executes.
At the moment Ansible evaluates:
`dynamic_oracle_sid: "{{ oratab_sid_result.stdout }}"`

👉 The task has not run yet
👉 `oratab_sid_result` does not exist**
👉 Result: `undefined variable` (or empty / skipped)

No comments:

Post a Comment

Building a Safer PostgreSQL CI/CD Pipeline with GitHub Actions: Dev → PR Review → Test Promotion

Report Abuse

Labels