Do decrypted variables get copied to the host?

After decrypting a vault and running a task using that vault data:

  • Do only the variables involved in that task get copied to the host or do all decrypted variables get copied (even temporarily)?

If all get copied, do group_vars restrict that copy only to the hosts in that group?

Hi Tom,

Only the variables involved in that task get copied to the host. You
can set the environment variable ANSIBLE_KEEP_REMOTE_FILES=1 on the
controlling host to prevent ansible from deleting the remote files so
you can check that by yourself.

-- Best, Igor

So ... depends, data passed to a task is normally copied with the task
to the remote machines so the task can be executed there. If using the
ssh connection plugin with pipelining, the data never gets copied to
disk and gets read from a pipe and is only present in memory. When
copied to the disk it is normally removed right after execution
(unless using ANSIBLE_KEEP_REMOTE_FILES=1, which should also disable
pipelining).