20

According the help of ansible-playbook one could use --user=REMOTE_USER to define the ssh user, but one could also define ansible_ssh_user: REMOTE_USER in either the host- or group_vars.

Question

What variable need to be defined in either the group- or host_vars directory to prevent that --vault-password-file has to be defined while running ansible-playbook?

Attempts

  • When ansible_vault_password_file: ~/.vault_pass.txt is defined in the config the decryption fails:

    ERROR! Decryption failed on /path/to/vault

  • No associated vault variables was found in this documentation

030
  • 13,235
  • 16
  • 74
  • 173
  • Btw it's now documented (from version 1.7) here: http://docs.ansible.com/ansible/intro_configuration.html#vault-password-file – Tensibai Mar 30 '17 at 08:15

2 Answers2

15

Here is the definition:

DEFAULT_VAULT_PASSWORD_FILE = get_config(p, DEFAULTS, 'vault_password_file', \
'ANSIBLE_VAULT_PASSWORD_FILE', None, value_type='path')

This means that you either put in ansible.cfg or playbook:

vault_password_file: ~/.vault_pass.txt

Or in your shell defined this variable:

export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt
Jiri Klouda
  • 5,807
  • 1
  • 21
  • 53
  • @JiriKlouda it does not seem to work although it has been defined in group_vars/all/vars. export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt had to be run. – 030 Mar 30 '17 at 07:30
  • This is a config variable. It has to be in ansible.cfg or equivalent or in the playbook. – Jiri Klouda Mar 30 '17 at 11:44
  • Also I have specifically checked the 2.2 version you run and it is there: https://github.com/ansible/ansible/blob/stable-2.2/lib/ansible/constants.py#L175 – Jiri Klouda Mar 30 '17 at 16:18
  • When I export the variable it works – 030 Mar 31 '17 at 15:33
  • @JiriKlouda it's best to include the actual answer, not just the link, because links become invalid over time, and a direct answer is more useful too. – RichVel Jul 28 '17 at 07:57
  • Sometimes that is the case, but when you point to a github repository of the project, that is being up to date as long as the project is being developed and relevant and if it goes out of date, it means the project is no longer relevant and the answer itself does not matter. In such case a link is better than a copy of answer which could itself become stale. – Jiri Klouda Jul 28 '17 at 15:53
  • The docs say that DEFAULT_VAULT_PASSWORD_FILE can be used in the config. I'm running Ansible 2.10.1 and this doesn't work. But your clarification (from code) that it should actually be vault_password_file specified in the config fixed the situation for me. – fbicknel Apr 01 '21 at 12:17
3

You can set an environment variable ANSIBLE_VAULT_PASSWORD_FILE storing the path the the vault password file. This way you won't have the always use the --vault-password-file switch when running a playbook.

This is described in Ansible's Vault documentation, available here.

So, add export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt to your ~/.bash_profile, source from it and you're ready to go.

If you need different vault passwords for different groups of hosts, then you should do the following:

Inside of this subdirectory, create two files named vars and vault. Inside of the vars file, define all of the variables needed, including any sensitive ones. Next, copy all of the sensitive variables over to the vault file and prefix these variables with vault_. You should adjust the variables in the vars file to point to the matching vault_ variables and ensure that the vault file is vault encrypted.

This is an example for best practices approach for managing sensitive information on per group basis. More information is available in Ansible's documentation here (The above text is copied from there).

13dimitar
  • 757
  • 4
  • 12