How to handle passwords with the vault

I’m using Ansible to orchestrate a bunch of VM, as expected. I want to run commands as root, so I have the root password in a file in group_vars, so /etc/ansible/group_vars/vault, which I’ve encrypted with ansible-vault.

I understand from the Best Practices http://docs.ansible.com/ansible/playbooks_best_practices.html#best-practices-for-variables-and-vaults that I’m to use a file containing the passwords that’s encrypted and then another referencing those. So I have
group_vars → vault
→ vars

cat vars
ansible_become_user=vault_ansible_become_user
ansible_become_pass=vault_ansible_become_pass

And then those variables are assigned in vault.

I’m totally not sure how then to use these or reference them. Any advice/guidance would be good.

Thanks

I think the think you are missing here is that whatever is in group_vars (either a file or a directory) needs to match up with the name of a group in your inventory file (unless you using the magic ‘all’ group, which applies to all hosts).

So you might wind up with 3 files in different directories like this

group_vars/development/vault
group_vars/testing/vault

group_vars/production/vault

then in your inventory all the variables in
group_vars/development/vault
would apply to any hosts belonging to a group called

[development]
host1
host2

You’d then need to encrypt them like this:

ansible-vault encrypt group_vars/development/vault
ansible-vault encrypt group_vars/testing/vault

ansible-vault encrypt group_vars/production/vault

You can use the vaulted variables anywhere you can use ordinary variables, but you’ll need to supply the vault password to your playbook runs (or you can specify a path to a file containing the vault password in your ansible.cfg file if that makes sense for you).

Jon