Interview Infrastructure as Code (Terraform, Ansible)

What is Ansible Vault, and how do you protect secrets with it?

Infrastructure as Code (Terraform, Ansible) · Intermediate level

Answer

Ansible Vault encrypts sensitive YAML values or files so secrets can be stored with playbooks without being readable in plaintext. I use vault IDs, separate secrets by environment, avoid printing secret values, and integrate decryption with CI/CD using controlled credentials.

Technical explanation

Vault can encrypt whole files or individual values.

Use no_log for tasks that might print decrypted values.

Rotate vault passwords or vault identities according to your secrets policy.

Prefer idempotent modules over shell so repeated runs are safe and change reporting is meaningful.

Separate reusable role logic from inventory-specific variables so the same automation works across environments.

Run lint, syntax checks, check mode where useful, and staged rollouts before production-wide changes.

Hands-on example

1. Model variables and facts for: What is Ansible Vault, and how do you protect secrets with it?

2. Create inventory variables:

group_vars/web.yml:

app_port: 8080

package_name_by_os:

RedHat: httpd

Debian: apache2

host_vars/web1.yml:

app_port: 9090

3. Use facts and variables in a task:

- name: Install OS-specific web package

ansible.builtin.package:

name: "{{ package_name_by_os[ansible_facts['os_family']] }}"

state: present

when: ansible_facts['os_family'] in package_name_by_os

4. Run ansible-playbook site.yml -e app_port=7070 in a lab to see extra vars override lower-precedence values.

Preparing for an interview?

Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.

More Infrastructure as Code (Terraform, Ansible) interview questions

← All Infrastructure as Code (Terraform, Ansible) questions