How to Encrypt API key using ansible-vault for Python application

How to Encrypt API key using ansible-vault for Python application


Test Environment

Ansible Controller

Ansible Node

Ansible vault is an inbuilt tool provided by Ansible for encrypting the string and files containing confidential information like secrets, passwords, api tokens etc.

In this article we will see how we can encrypt an API key value pair using the ansible-vault and utilize that encrypted value in the Python Application. Here we are going to call a simple API which fetches the details of the PINCODE from Python standalone application.

If you are interested in watching the video. Here is the youtube video on the same with step by step procedure.

Procedure –

Step1: Create a API key value pair file

As a first step lets create apikey.yaml holding the key value pair related to API that we are going to call from the python application.

API key value pair file
[admin@fedser pincodeapi]$ cat apikey.yaml
api_key: 2a4940fac9msha85bed4cc1c0f92p13c187jsn351142a50d3c

Step2: Encrypt the API key value pair file using ansible-vault

Now, lets encrypt the key value pair file using the ansible-vault so that the key can be secured from unauthorized persons.

Encrypted API key value pair
[admin@fedser pincodeapi]$ ansible-vault encrypt apikey.yaml 
New Vault password: 

Step3: Create standalone Python application to call the API to fetch pincode data

Here is a sample python code in which we are going to api key and host data as header and request payload to fetch the details for pincode 400018 as shown below.

Python pincode API call application
[admin@fedser pincodeapi]$ cat
#!/usr/bin/env python3

import requests
import sys


url = ""

payload = "{n    "searchBy": "pincode",n    "value": 400018n}"
headers = {
    'content-type': "application/json",
    'x-rapidapi-key': str(api_key),
    'x-rapidapi-host': ""

response = requests.request("POST", url, data=payload, headers=headers)


Step4: Create Ansible Playbook to execute the Python application with argument on remote node

Lets now create our ansible-playbook to push the Python application to remote node and execute it to fetch the pincode data. As you can see from the below task list, we are first creating a directory and then copying the script to remote node. As a third task we need to make sure pip package and python request module is installed on the remote node for the python application to work.

Also note, the encrypted apikey.yaml file that we are using in the playbook to get the key value and use it as argument in the python application execution step as shown below.

Ansible playbook for Python API application execution
[admin@fedser pincodeapi]$ cat pincodeapi.yaml 
- hosts: stack
  remote_user: admin
    - apikey.yaml
    - name: Create a directory
        path: /home/admin/pythonapiapp
        state: directory
        owner: admin
        group: admin
    - name: Copy the Python script
        src: /home/admin/ansibleexample/pincodeapi/
        dest: /home/admin/pythonapiapp/
        mode: 0755
    - name: Install Python pip package
      yum: name=pip state=latest
      become: true
    - name: Install Python requests module
      command: python3 -m pip install requests --user
    - name: Execute the Python script
      command: /home/admin/pythonapiapp/ "{{ api_key }}"

      register: apidata
    - name: Print the apidata
      debug: msg="{{ apidata.stdout }}"

Step5: Execute the ansible-playbook to fetch the API data

Now we are ready with the encrypted API key value data and the python application that we want to execute on the remote node. Lets go ahead and execute the playbook on remote node as shown below. We need to key in the vault password which we used to encrypt the data to decrypt it while playbook execution.

Also i am running the yum install pip as root user for which become=true is required.

Ansible playbook execution results
[admin@fedser pincodeapi]$ ansible-playbook pincodeapi.yaml -K --ask-vault
BECOME password: 
Vault password: 

PLAY [stack] *****************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************
ok: []

TASK [Create a directory] ****************************************************************************************************
ok: []

TASK [Copy the Python script] ************************************************************************************************
ok: []

TASK [Install Python pip package] ********************************************************************************************
ok: []

TASK [Install Python requests module] ****************************************************************************************
changed: []

TASK [Execute the Python script] *********************************************************************************************
changed: []

TASK [Print the apidata] *****************************************************************************************************
ok: [] => {
    "msg": [
            "circle": "Maharashtra",
            "delivery": "Non-Delivery",
            "district": "Mumbai",
            "division": "Mumbai  West",
            "latitude": "Not Available",
            "longitude": "Not Available",
            "office": "Worli Naka S.O",
            "office_type": "S.O",
            "phone": "022-24934927",
            "pin": 400018,
            "region": "Mumbai",
            "related_headoffice": "Mahim H.O",
            "related_suboffice": "Not Available",
            "state_id": 19,
            "taluk": "Mumbai"
            "circle": "Maharashtra",
            "delivery": "Delivery",
            "district": "Mumbai",
            "division": "Mumbai  West",
            "latitude": "Not Available",
            "longitude": "Not Available",
            "office": "Worli S.O",
            "office_type": "S.O",
            "phone": "022-24930108",
            "pin": 400018,
            "region": "Mumbai",
            "related_headoffice": "Mahim H.O",
            "related_suboffice": "Not Available",
            "state_id": 19,
            "taluk": "Mumbai"

PLAY RECAP *******************************************************************************************************************             : ok=7    changed=2    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Hope you got an understanding on how to encrypt key value pair files and use the encrypted content in the application. Thank you for reading.