4

I've been searching all over but there's not much on what should the Ansible vault password file look like.

For example I would like to do:

ANSIBLE_VAULT_PASSWORD_FILE=./pwdfile ansible-vault edit secrets.yml

But have no idea what format ./pwdfile should be.

Martin Gergov
  • 1,556
  • 4
  • 20
  • 29

1 Answers1

2

The content of a Ansible vault password file should contain only the password for the Ansible vault.

Somewhat vaguely described in the official documentation: https://docs.ansible.com/ansible/latest/user_guide/vault.html#setting-a-default-password-source

That is if you do:

$ ansible-vault create secrets.yml
New Vault password: 1234
Confirm New Vault password: 1234

Then you can create a password file pwdfile with the contents:

1234

And invoke ansible-vault edit like:

ANSIBLE_VAULT_PASSWORD_FILE=./pwdfile ansible-vault edit secrets.yml

Note you can also pass --vault-password-file or --vault-id instead of setting the environment variable as described here: https://docs.ansible.com/ansible/latest/reference_appendices/config.html#envvar-ANSIBLE_VAULT_PASSWORD_FILE

Most of how to use the Ansible vault is described here: https://docs.ansible.com/ansible/latest/user_guide/vault.html

Martin Gergov
  • 1,556
  • 4
  • 20
  • 29
  • 3
    Note that if the file is executable, ansible will execute it. The script contained in that file should output the password to stdout and ansible will use it. The `community.general` collection has [several examples](https://github.com/ansible-collections/community.general/tree/main/scripts/vault) – Zeitounator Apr 04 '21 at 19:43
  • I can't get to that page, @Zeitounator, but for anyone wondering like I was, just "echo 12345" won't work, you'll need an actual hashbang at the beginning, like a "!#/bin/bash" on the top line. – DaveJenni Jul 24 '22 at 10:14