Is `--vault-password-file` on demand, does the script get executed every time an encrypted file is loaded, or just once at the start?

I’m trying to work with more than 1 encrypted file and it seems the --vault-password-file option, which can take a script, only gets executed once.

Am I wrong in this? I’ve tried setting environment variables to pass along, if I execute the script manually it gets the correct password, but if I do include_vars on an encrypted file, it only works the first time, regardless of what I try.

Is this expected behavior? Do I need to provide a --vault-id per vault password I want to use during a playbook run?

The program specified as --vault-password-file is invoked once only per playbook run, hence the limitation that --vault-password-file or --ask-vault-pass can only work with a single password.

If you need to run a play with differently vaulted files (i.e. vaulted with different passwords), then vault IDs are the way to go.

Thanks, I wanted to be sure.

I tried running ansible-playbook with -vvvvv and the output there seemed open to interpretation.

It claims to have a default vault password and then mentions this default is a script and that’s it in terms of output.

That doesn’t make it clear to me if the script will be executed on demand, or only at startup.

So again, thanks for clarifying.