Two vault files with the same password - will it work?

King · May 7, 2025, 2:21pm

Hi!
I would like to use one vault password with two files with encrypted variables. The main variable I need is ansible_password that is used to connect to hosts, and it is different for different users.

I tried the vault ID feature with no luck. I have vault_user1.yml and vault_user2.yml. They were encrypted with the same password and two vault IDs:

user1
user2

When I run the first playbook with this command:

ansible-playbook playbook1.yml -i inventory.yml --user user1 --vault-id user1@/path/to/vault-client.sh

I get the decrypted value of ansible_password from vault_user1.yml.

Then I run the second playbook like this:

ansible-playbook playbook2.yml -i inventory.yml --user user2 --vault-id user2@/path/to/vault-client.sh

and get the decrypted value of ansible_password from vault_user1.yml again. Am I missing something? It looks like the vault-id is not validated.

Is there any simple way to have one variable with two values encrypted with the same password?

schuert · May 7, 2025, 3:09pm

If you supply a password and all vaults are encrypted with that password all can be decrypted, no need for a vault id. In your case, when a variable is defined twice the last value assigned is used. Try something like this

name: read user password
Ansible.builtin.include_vars: “{{ username }}.yml”

Then create multiple var files in vars:

vars/username1.yml
vars/username2.yml

So that the password is only read once for the user currently needed.

King · May 7, 2025, 3:26pm

Thanks for the quick reply. I found one mistake in my solution. The variable files were in group_vars directory, so they were loaded by default.
I prepared new files in the vars directory but still didn’t get what I needed. I will need more time to check it.

schuert · May 7, 2025, 4:27pm

If you post the parts of your playbook that reads the variables, I could give you some more tipps. Group and / or host_vars will only work if the group / host defines the user that should be configured. Otherwise I would use a task like the one I have posted

brazzledazzleday · May 7, 2025, 6:47pm

You’re encrypting vault_user1.yml and vault_user2.yml with the same password, but Ansible Vault IDs are only useful when you’re encrypting files with different passwords. Vault ID tagging doesn’t select which file to use — it just maps a name (user1, user2) to a specific password source. If both vault files use the same password, you can decrypt both without distinguishing IDs.

Proper Methodology to Fix the Use Case

GOAL:

Use one vault password file, two vault-encrypted variable files (vault_user1.yml and vault_user2.yml), and decrypt the correct one depending on which user is running.

SOLUTION:

Instead of using --vault-id, which is mainly for managing multiple passwords, just use --ask-vault-pass (for prompt) or --vault-password-file and load only the correct variable file per playbook:

Folder structure:

vault_user1.yml
vault_user2.yml
group_vars/
  all.yml

`vault_user1.yml` example:

ansible_password: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  ...

`playbook1.yml`:

- hosts: user1
  vars_files:
    - vault_user1.yml
  tasks:
    - debug: var=ansible_password

Run command:

ansible-playbook playbook1.yml --vault-password-file ~/.vault_pass.txt

Do the same for user2, with vault_user2.yml.

King · May 8, 2025, 11:32am

I have /install/vars/vault_user1.yml and /install/vars/vault_user2.yml, and added this in /install/playbook1.yml as the first task:

- name: Read user password
  hosts: all
  tasks:
    - name: Read user passwords
      ansible.builtin.include_vars:
        file: vault_user1.yml

    - name: Check ansible_password
      ansible.builtin.debug:
        msg:
        - "The password is: {{ ansible_password }}"
        - "The become password is: {{ ansible_become_password }}"

But it failed with this error:
“Data could not be sent to remote host "192.168.1.5". Make sure this host can be reached over ssh: user1@192.168.1.5: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).”

So it looks like it tries to log in using SSH keys and not the password from the variable file although I provide the vault password.

schuert · May 8, 2025, 1:34pm

Use -vvv when running the playbook. I bet ansible is using the correct password but with the wrong user (root instead of user1). This can be set if I’m not mistaken with

ansible_user: user1
ansible_password: “{{ user_password }}”

schuert · May 8, 2025, 1:36pm

Try: delegate_to: localhost

so that the debug task shows something even if the host can’t be reached via ssh

King · May 8, 2025, 2:56pm

Thank you for suggestions again! It was my mistake. When I added

gather_facts: false

to the “Read user password” play, it started working.

It looks like it tried to gather facts before the variable file was included, so there was no value for ansible_password.

PS ping me when you’re in Gdansk PL; I’ll be happy to buy you guys a coffee or a beer and have a chat.

Topic		Replies	Views
How to setup variable files to contain multiple versions of vaulted variables Ansible Project	0	1	August 20, 2018
Vault Ids and Multiple Vault Passwords Ansible Project	1	18	July 29, 2018
Multiple ansible-vault encrypted ssh private keys Ansible Project	0	77	September 1, 2020
ERROR: A vault password must be specified to decrypt data Ansible Project	7	59	June 11, 2014
Is it possible to set the vault password once already in the playbook? Ansible Project	1	8	August 8, 2017