spin vault

Encrypt & decrypt files with "Ansible Vault". Accepts any command that ansible-vault accepts.


Usage for "spin vault"

spin vault <ansible-vault-action>


The spin vault command will intelligently pass any arguments to your local ansible-vault binary or to Docker if Ansible is not installed locally. It will also accept any commands that are documented with ansible-vault.

  • edit: Edit an encrypted file
  • encrypt: Encrypt an unencrypted file
  • decrypt: Decrypt an encrypted file

Official Documentation & Additional Options

More actions and syntax reference can be found in the official documentation.


Encrypt a file

spin vault encrypt myfile.txt

Edit an encrypted file

spin vault edit myfile.txt

Special notes

This command will automatically run ansible vault via Docker if you do not have Ansible installed on your system. The only major downfall to this approach is when it comes to editing your secret files, you will need to do this all through vi, which can be pretty annoying.

If you'd like a better experience, you may want to consider installing and configuring Ansible on your local machine so you can edit your secrets with your favorite editor.

Editing secrets with Sublime Text

It's possible to edit your secrets with Sublime Text, but it requires a bit of setup. You'll need to install Ansible to your system.

Once Ansible is installed and you're able to execute ansible-vault locally, you'll then need to set Sublime Text as your editor.

Set Sublime Text as your editor

export EDITOR="subl -w"

Add this to your ~/.bashrc or ~/.zshrc file to make it permanent.

Automating Vault Access

If you're constantly being asked to provide a vault password, you can speed up your workflow by securely saving your password to a .vault-password file in your project root.

If that file exists, Ansible will automatically load the password from that file.