The problem I have right now is that, to use ansible-vault encrypted strings, I need to specify on the command line --vault-id=foo@prompt .
I don’t use encrypted strings very often, so I’d rather have my play notice that I’m going to use an encrypted string, and prompt for the password only when absolutely necessary.
Is this possible? Something along the lines of
vars:
string1: !vault |
$ANSIBLE_VAULT;1.2;AES256;foo
66306438623164653061623661376331643537303931663562326336386234333935373661623261
3930633662616462316133633236383530356561346233640a386439316638313361333437386435
38346635626533313266663436666163386238616266623038666364323232393465656665643831
6437616339616463360a383263333965366264633562343965386137313364613737356666623562
3033
vars_prompt:
- name: “cryptpasswd”
prompt: “ansible-vault password”
private: yes
tasks: - name: “secret string”
debug:
msg: “secret message is {{ string1 }}”
… and then my password is somehow available to decrypt the string when needed?
Thanks.