I’m using Ansible to orchestrate a bunch of VM, as expected. I want to run commands as root, so I have the root password in a file in group_vars, so /etc/ansible/group_vars/vault, which I’ve encrypted with ansible-vault.
I think the think you are missing here is that whatever is in group_vars (either a file or a directory) needs to match up with the name of a group in your inventory file (unless you using the magic ‘all’ group, which applies to all hosts).
So you might wind up with 3 files in different directories like this
You can use the vaulted variables anywhere you can use ordinary variables, but you’ll need to supply the vault password to your playbook runs (or you can specify a path to a file containing the vault password in your ansible.cfg file if that makes sense for you).