Working with Ansible vaults in Go

Vault is a feature of Ansible that allows keeping sensitive data such as passwords or keys in encrypted files, rather than as plaintext in your playbooks or roles. These vault files can then be distributed or placed in source control. Vault is also just a fancy name for files (or strings) with encrypted and formatted content.

Vault secret data typically looks like this:


Vault files are generated (or modified) with ansible-vault command which is a Python-based CLI tool that ships with Ansible. All secret data is protected by a user-generated password that should never be checked into any source code repository. These secrets are then consumed by Ansible playbooks or by any third-party module.

Reading and writing AES256 vault files is pretty straightforward and there are libraries for other languages like Ruby. After using a small Go script that deals with vault files i finally decided to make an open source package that i can reuse across projects instead of copy pasting it every time.

Package is available on Github: ansible-vault-go


To install run the command:

go get -u

Documentation is hosted on GoDoc

Full Example

Create a Go file, like ansible.go with the following content:

package main

import (


func main() {
    // Encrypt secret data
    str, err := vault.Encrypt("secret", "password")
    if err != nil {
    fmt.Println("encrypted data:", str)

    // Decrypt secret data encrypted in the previos step
    str, err = vault.Decrypt(str, "password")
    if err != nil {
    fmt.Println("decrypted data:", str)

    // Write secret data to file
    err = vault.EncryptFile("/tmp/vault", "secret", "password")
    if err != nil {

    // Read existing secret
    str, err = vault.DecryptFile("/tmp/vault", "password")
    if err != nil {
    fmt.Println("decrypted file:", str)

Then simply run:

go run ansible.go

Example output:

encrypted data: $ANSIBLE_VAULT;1.1;AES256
decrypted data: secret
decrypted file: secret

You can also verify that ansible can read our test file:

# Read the file using ansible vault CLI
$ ansible-vault view /tmp/vault
Vault password: **** type password ***

# This is the decrypted contents

That's pretty much it.