6

In using Ansible, I'm trying to use a vaulted vars file to store private variables, and then using those in another vars file, in the same role. (The idea from 'Vault Pseudo leaf encryption' here.)

e.g. I have one standard vars file, roles/myrole/vars/main.yml:

---
my_variable: '{{ my_variable_vaulted }}'

and then one which is encrypted, roles/myrole/vars/vaulted_vars.yml:

---
my_variable_vaulted: 'SECRET!'

But when I run the playbook I always get '"ERROR! ERROR! 'my_variable_vaulted' is undefined"'.

I've tried it without encrypting the second file, to make sure it's not an issue with encryption, and I'm getting the same error.

Phil Gyford
  • 13,432
  • 14
  • 81
  • 143

2 Answers2

4

The reason why my_variable_vaulted wasn't available was because I hadn't included the variable file. I'd assumed that all files in a role's vars/ directory were picked up automatically, but I think that's only the case with vars/main.yml.

So, to make the vaulted variables available to all tasks within the role, in roles/myrole/tasks/main.yml I added this before all the tasks:

- include_vars: vars/vaulted_vars.yml
Phil Gyford
  • 13,432
  • 14
  • 81
  • 143
  • Yes, that is true. Only the main.yml gets loaded for all kind of role folders: vars, defaults, tasks, meta, handlers. – udondan Feb 19 '16 at 02:38
3

That is not the best way to handle vault in ansibles. Much better approach is outlined in vault documentation for ansible. So you would create your basic variable for environment in group_vars/all.yml like that:

my_variable: {{ vault_my_variable }}

And then in your inventories/main you decide which hosts should load which vault file to satisfy this variable. As example you can have that in your inventories/main:

[production:children]
myhost1

[development:children]
myhost2

[production_vault:children]
production

[development_vault:children]
development

Then ansible will automatically fetch production_vault.yml or development_vault.yml respectively from group_vars depending on which environment box belongs to. And then you can use my_variable in your roles/playbooks as before, without having to worry about fetching it from the right place.

Tymoteusz Paul
  • 2,732
  • 17
  • 20
  • It sounds similar to what I'm doing except the files are in `group_vars/` rather than in the role. I don't currently have any groups so I'll try and work out how to change this. – Phil Gyford Feb 18 '16 at 19:03
  • @PhilGyford groups are a great way to organize your variables as then to change values you have to go to one place and are safe to re-use them between various roles/playbooks. And it then frees your role `vars` and `defaults` for things that are related only to that scope and nothing else. – Tymoteusz Paul Feb 18 '16 at 19:06
  • Thanks. These vars are definitely only used in a single role, which is why I was putting them there. – Phil Gyford Feb 18 '16 at 19:08
  • Weird... I've no idea why moving the two var files from `roles/myrole/vars/` to `group_vars/webservers/` makes things work, but it does! It doesn't seem the best place for my set-up, but if it works, it works. – Phil Gyford Feb 18 '16 at 19:19
  • I may have spoken too soon... I don't think the role's tasks are picking up any of those variables now. I'm going to have to come back to this in a couple of days. – Phil Gyford Feb 18 '16 at 19:21
  • @PhilGyford you should put them as just files in `group_vars` so following my example you would have `group_vars/production_vault.yml` and `group_vars/production.yml` – Tymoteusz Paul Feb 19 '16 at 03:32
  • I don't really understand why… these vars are the same for every group and are only used in one role. Why should I not put them within a role? – Phil Gyford Feb 19 '16 at 07:27
  • Thank you so much! I had an issue where the same host was included in two different groups, so it was loading variables from two different vaults. Since the vaults had the same variables, the second one loaded was overwriting the first. Your answer made me realise this, god bless! – Bubzsan Jan 14 '20 at 09:54