Ansible Vault needs an .ansible.cfg entry

Lars_Sommer · May 20, 2014, 5:53pm

As was detailed in:
https://github.com/ansible/ansible/issues/6980

and
https://github.com/ansible/ansible/issues/7456

This really needs to go in the ansible config. Having to manually type/copy this on every run, particularly when developing complete cookbooks that have a long dev cycle, is really miserable and quite unnecessary.

Adam_Morris · May 20, 2014, 10:53pm

Why do you have to type this on every run? (you missed the earliest ticket in the above list by the way)… As mentioned in the first ticket https://github.com/ansible/ansible/issues/6947 you can use a shell alias to perform this for you so that you are not having to type this every time. There is also a wrapper script included in there that does this too…

The following should work for ksh, bash and csh…
alias av=‘ansible --vault-password-file=/path/to/ansible/vault/password/file’

You only need to set this once, and if you are working with different vaults you can even set multiple aliases so that you get the one that you want.

Adam

Lars_Sommer · May 21, 2014, 12:06am

I didn’t miss anything. First off, I don’t want everyone who runs an encrypted play to have to have this setup. I am trying to build an environment where people who are not as familiar with Ansible (for example my web dev) can run a play without hassle. Every single flag you have to pass after “ansible-playbook” is an additional level of hassle, and in this case a needless one.

I don’t want to have to add “av” because that could very easily fit inside a config.
Additionally, by that logic there’s no need for ansible_ssh_user being present in a config or an inventory as a group variable since you could just create an alias for it.

This is a simple fix that will definitely save tons of time and requires A.) no shell goofiness and B.) no additional lines on your ansible-playbook command.

Michael_DeHaan1 · May 21, 2014, 5:38pm

Folks could easily be using multiple vault files for different projects, in which case a default one in the config file doesn’t really make sense to me.

Lars_Sommer · May 21, 2014, 5:52pm

In the same way that people use multiple ansible-ssh-users? I see your point, but couldn’t we specify it in the inventory then so it can be particular to a specific group if necessary?

Michael_DeHaan1 · May 21, 2014, 9:38pm

Allowing it to be set as a variable like “ansible_vault_password_file” would be useful, I can see that working out.

Possibly it might be set in the playbook or repo instead, in which case, it might be nice to also have it as a play keyword, and one that expanded HOME too.

I’d entertain patches for one or both of the above.

–Michael

Topic		Replies	Views
specify --vault-password-file in ansible.cfg file Ansible Project aws	7	8	September 16, 2014
How to handle passwords with the vault Ansible Project	1	12	December 12, 2016
vault-id and multiple password files in ansible.cfg Ansible Project	1	13	April 27, 2018
ansible.cfg with multiple vault files. Ansible Project	0	4	November 24, 2017
skipping vault? Ansible Project	0	8	October 9, 2014

Ansible Vault needs an .ansible.cfg entry

Related topics