Ansible Vault : ask for password whenever necessary?


I’m making slow but steady progress with Ansible, and I must say I really like it. The more I learn about it, the more I know that this is the way to configure my servers in the future. But right now I have the odd problem to solve.

I’m getting to a point where I have to store sensible information like mail relay user credentials in my host_vars. I just spent a couple hours playing around with ansible-vault, file encryption and file decryption, and it works.

Let’s say I have a playbook called setup.yml, and somewhere in the playbook there’s an encrypted bit of information. In that case, simply launching the playbook returns the following error:

$ ansible-playbook setup.yml

PLAY [all] ***************************************
ERROR! Attempting to decrypt but no vault secrets found

In that case I have to run the command again with the following option:

$ ansible-playbook setup.yml --ask-vault-pass
Vault password: 

PLAY [all] *************************************

TASK [Gathering Facts] ***************************
ok: [localhost]

Now I wonder: is there a way to get ansible-xxxxx commands to ask automatically for the Vault password whenever there’s some bit of encrypted information in the playbooks? Some magical option to put in ansible.cfg?



From stackoverflow I found this:

ask_vault_pass = True

for ansible.cfg


That’s exactly the option I’ve been looking for. Go figure why I couldn’t find it. Anyway, thanks very much.

1 Like

I think it’s a shame to make an automation script interactive. If you have control over your ansible controller, you should set the vault_password_file variable instead.
Once again, it’s in our documentation: Management server optimizations - Documentation (you’ll have to read it sooner or later :slight_smile: ).
Personally, I have a python script to which this variable points. The password is stored in the rundeck vault and is therefore accessible by all our ansible nodes (but here, your imagination is free).