Ansible reads all files in host_vars and group_vars instead of just the ones for the specified hosts

Hello,

I am running ansible 2.0.2 on Ubuntu 14.04. I have several vaulted host-specific or group-specific files in host_vars or group_vars, so whenever I run “ansible-playbook”, I pass the “–ask-vault” option. I noticed some odd behavior - if I run with “–ask-vault” and strace the “ansible-playbook” process, I see that it needs to read (and thus decrypt if vaulted) ALL of the files in host_vars and group_vars, not just the host_vars/myhost or host_vars/mygroup specific files that apply to the hosts I’m running on (as defined in the inventory file). How can I configure ansible to only read the specific host_vars and group_vars files that it needs, rather than this entire directory every time? Because it is reading every file, it takes a lot longer (since it has to decrypt all of the vault files, even ones that aren’t used).

Thanks!

There is no current way. The way ansible inventory works is that all inventory files, including host vars and group vars are read and parsed before ansible really starts doing much of anything.

There also isn’t any way to know whether you may try to access an vaulted var for another host or group, that isn’t targeted by the play, which is often done.

Okay thanks for the clarification. So there’s no way to only give access to vaulted files in host_vars or group_vars to certain users (but let other users run playbooks that don’t require a vault file)?