How to include a variable vault in inventory.ini or ansible.cfg

I have a vault file in vault/secrets.enc with some credential definitions.

When I add the file on the command line like this:

ansible-playbook myplay.yml -e '@vault/secrets.enc' --ask-vault-pass

it works perfectly.

But how can I include this encrypted variables file in inventory.ini or ansible.cfg, so that I don’t need to add it on each CLI invocation? I tried setting vars_files, but could not make it work.

Note: I would like to avoid changing my play files for this, because they should work even with a plain -K invocation as well.

Thanks for any pointers!

Make it part of inventory:

inventory.ini
group_vars/
          all/
              secrets.enc
              main.yml # what you normally have in all.yml
3 Likes

Thank you for your suggestion!

I don’t really understand what you mean: Do I write β€œgroups_vars/” in the inventory.ini file? In which section? What exactly do I add to the INI file to include the vault file?

not inside the file, what i posted above represents the file system. It uses a β€˜vars plugin’, the one shipped with ansible itself (host_group_vars) which will look in directories adjacent to the inventory source file ( group_vars/ and host_vars/) to populate variables for the hosts that have matching group or host name. The β€˜all’ group applies to all hosts and i use it as a directory so you can have multiple files, one of them vaulted.

2 Likes

Ok, makes sense. Thanks.

Hoping to understand your details correctly I just have tried the following directory structure:

tree automate
automate
β”œβ”€β”€ all
β”‚   └── secrets.enc
β”œβ”€β”€ inventory.ini
└── myplay.yml

(automate is my directory with all Ansible stuff.)

However when I run

ansible-playbook myplay.yml  --ask-vault-pass

I get the error β€œThe field β€˜become_pass’ has an invalid value, […]”, while

ansible-playbook myplay.yml -e '@all/secrets.enc' --ask-vault-pass

works as expected.

Do I have to enable the vars_plugin (via my an sible.cfg I guess)? Is it part of the normal Ansible distro? (I’m on a machine without Internet.)

Or even better, is there a way to load the secrets.enc file without an extra plugin, just with some directives in a config file?

Your tree must look like this:

tree automate
automate
β”œβ”€β”€ group_vars
β”‚   └── all
β”‚       └── secrets.yml
β”œβ”€β”€ inventory.ini
└── myplay.yml

Please study this:

https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#tips-on-where-to-set-variables

group_vars and host_vars are described in detail in documentation.

3 Likes

Thanks so much for spelling this out for me.

Now it works like a charm!

2 Likes