Need keys for vaulted group vars

j.barrett_Strausser · August 30, 2016, 1:42pm

Running Ansible - 1.9.4

I have a number of group_vars that are vaulted.

I have an inventory file, some of the hosts are in vaulted groups. Others are not. For instance I might have different roles in the Backend that need database passwords that are stored in vaulted group vars, other like FrontEnd roles do not.

When I limit my run to the hosts that do not need a vault key, I’m still prompted for a key for roles that the host is not a part of.

Both types of roles are in a common role called cloud: that has shared non-vaulted information.

Example:

ansible-playbook cloud_entry.yml --limit static-asset-servers --inventory cloud_inventory
ERROR: A vault password must be specified to decrypt /home/barrett/Git/ansible/group_vars/vault-backend.yml

The static-asset-servers hosts are not in any group that ultimately leads to the vault-backend group

Is my only solution to split my inventory into different files?

Doing this will defeat my putting the hosts in a common Cloud group though

-barrett

Brian_Coca · September 20, 2016, 3:30pm

The group/host_vars are ALWAYS loaded as the inventory needs to exist BEFORE ansible can validate the hosts it needs.

If you need those vaulted files to only be available for certain plays, move them out of group/host_vars and use vars_files/include_vars.

Topic		Views
Ansible reads all files in host_vars and group_vars instead of just the ones for the specified hosts Ansible Project ubuntu	2	May 17, 2016
Feature idea: Adding a vault/ subdir to group_vars and host_vars Ansible Project	14	December 9, 2014
Ansible Vault tries to Decode Irrelevant Files Ansible Project	1	November 17, 2014
Dynamically include vaulted vars within playbook only for certain hosts Ansible Project	1	February 28, 2017
Ansible ask for vault password for a host that don't need any variable Ansible Project	1	July 1, 2015

Need keys for vaulted group vars

Related topics