It would be handy to be able to specify a default vault-password-file in the ansible configuration file. That way when we are operating within the ansible role we can easily encrypt, edit, and decrypt files without having to always add:
–vault-password-file ~/.vault_pass.txt
We can of course create a bash alias for this but it doesn’t vary when we are in different ansible projects…
Also, it would be nice to have a ansible-vault cat | more | less etc to easily look at the file contents.
And in fact it might be nice to be able to have several passwords in vault_pass, which are tried in succession. Ie we might have vault_pass.txt be:
That way we could handle out say the general_pass to some people working on general things, and say give out the aws deploy keys to a smaller set of people, and finally only a few people would know the super_secret_keys.
It seems that as this file is frequently world readable, and probably should be for completeness of knowing what settings are, that putting a password in this file is not a good idea.
Also, there’s an ansible-vault view to easily see file contents that does open a pager these days. That might only be on the devel-branch as I don’t really remember.
Additionally of note, is that the --vault-password-file can also be a script, and if marked as executable the script will be executed and can respond with the password. Then you can store your password in something like keychain on Mac and have the script retrieve it. (I’ve submitted a PR to show how to do this at https://github.com/ansible/ansible/pull/8561)
(Bonus points for adding force_color at the same time… though that may be me trying to pull a Tom Sawyer type option about how fun it is to add option documentation!)