Hi all
Using Vault in group_vars has the downside of losing version control on the vaulted file, so the logical thing is to separate sensitive variables from “normal” ones.
What we do is create a vault/ subdirectory under group_vars and include that in vars_file.
The dir structure looks like this:
hosts
group_vars/
vault/
some_group
some_group
And the playbook starts like this:
- hosts: some_group
vars:
- "{{ inventory_dir }}/group_vars/vault/some_group
It seems like a good convention, any thoughts about making it a feature?
If it’s meant to be included by vars_file, that doesn’t seem like a good place to me.
Also, this would conflict if one has a ‘vault’ group, as dirs are also allowed in host/group_vars, instead of plain files.
I currenty use vars_files because Ansible doesn’t include these files automatically. I was suggesting making a standard place to put vaulted group_vars (or host_vars) and gave mine as an example.
Do you object to the idea or just my convention?
At least the convention, beneath group_vars is definetely not the right
place.
The idea, I'm not sure what exactly having this standard place would
exactly mean?
Vault files are just encrypted files, users might want to 'vault' a file at
any location they want.
Say you have a default vault dir somewhere, what would happen then?
I currenty use vars_files because Ansible doesn’t include these files automatically. I was suggesting making a standard place to put vaulted group_vars (or host_vars) and gave mine as an example.
Do you object to the idea or just my convention?
At least the convention, beneath group_vars is definetely not the right place.
The idea, I’m not sure what exactly having this standard place would exactly mean?
It’s really the same idea as group_vars. For each group a host is a member of, two files are included:- The file under group_vars/, as usual
- The vaulted file under the vaulted group_vars dir
This allows you to separate the sensitive and normal parts of your group_vars, so that you won’t lose version control on the normal parts.
Vault files are just encrypted files, users might want to ‘vault’ a file at any location they want.
Same thing can be said about group_vars. You can include any variable file you want, but having a convention that uses your hostgroup structure is a good thing.
OK, actually, you already can do something similar, what I do:
for each group X I have a directory group_vars/X/
every file in that dir will be loaded for group X
then you van have a group_vars/X/secret.yml e.g. which is vaulted.
Would that work for you?
Whoa, dude. Didn’t know that trick. Yeah that actually solves my case pretty nicely. Thanks a bunch.
“Using Vault in group_vars has the downside of losing version control on the vaulted file”
This is not neccessarily the case.
group_vars/ folders are also loaded if they live alongside the playbook, so that can be a good option.
You could also keep the variables in a role vars/ directory and pull them in to hosts that need them.
In fact, a role can contain nothing but vars, and that works too!
"Using Vault in group_vars has the downside of losing version control on
the vaulted file"
This is not neccessarily the case.
group_vars/ folders are also loaded if they live alongside the playbook,
so that can be a good option.
You could also keep the variables in a role vars/ directory and pull them
in to hosts that need them.
In fact, a role can contain nothing but vars, and that works too!
Yeah I know, but that's not helping my specific use case, as I need
different sensitive variables based on inventory, not role or playbook.
Serge's suggestion was what solved it for me - too bad this feature isn't
documented!
Docs are open source and there’s already an open pull request for that in the docs.
Hi all,
I just came across this after puzzling over how best to use ansible-vault to manage sensitive credentials in group vars, without encrypting everything, and I couldn’t find the pull request for this when looking through the github issues for
Would someone share a link to it?
Thanks
Chris
The pull request for the docs has been merged already. The relevant doc page is here: http://docs.ansible.com/intro_inventory.html
Just search for ‘vault’ in that page. It doesn’t have info this thread doesn’t though…
You can have subdirectories under group_vars/groupname/*.yml if you want, and some of those can be vault encrypted.
Hi,
I'm using a following naming scheme in my projects
[inventory_group]/secret/self-documented-name.yml
for example :
group_vars
├── all
│ └── secret
│ ├── deployment_keys.yml
│ ├── api_keys.yml
│ └── hipchat_token.yml
├── redis
│ └── secret
│ └── aws.yml
└── webapp
└── secret
└── ssl.yml
I hope it would be useful.
-- Best, Igor
