We’ve begun using vault to encrypt vars for a work group. This has been annoying to those who use ansible because now each site run requires them to enter the vault password or reference a file. Having this password in a dozen places for our admin/developers doesn’t seem good, and entering the password 50 times a day is also annoying. We’ve considered relegating vault material to an entirely different set of plays which can be messy since these are vars associated with playbooks. Would it make sense to have an option (–no-vault)? I guess we could tag vault tasks and skip them in dev. I’m curious how other people dealing with this.