1

I have multiple roles. Each of them has it's own vault encrypted by a unique pass. I include vault in each role by using: include_vars: vars/encrypted.yml in playbook tasks. To be able to decypt the data I have to put each VaultID to ansible.cfg or use --vault-id. Ansible asks for password for EVERY VaultID referenced even if it will not be used eventually. Thus if I run a single role I have to edit either ansible.cfg or cmd line parameters to reference only necessary VaultIDs every time.

How do I dynamically ask for passwords only for required roles? Maybe I can use Ansible Prompt module to ask the password and somehow declare the VaultID before I use include_vars module?

P. S.: I cannot store passwords in files due to security concerns.

Alessandro Cattaneo
  • 11
  • 1
  • 1
    vault password files can be scripts that will query the password from your own keystore (e.g. gnome keystore....) if tihis can be of any help to you. An other solution is to run you playbook from awx/tower and have the vault passwords stored as credentials. There is no way I know of to interactively query the password on demand. – Zeitounator Jan 02 '21 at 14:29

0 Answers0