I have a playbook that requires a value from a vault - but I am consistently running into issues regarding the existence of this variable (lets call this variable private_key)
In the vault I have:
foo:
private_key: |
“…”
In the playbook I have:
- { role: bar, bar: {
‘private_key’: ‘{{foo.private_key}}’,
}
}
The error itself: One or more undefined variables: ‘dict object’ has no attribute ‘private_key’
When are the values within the vault resolved when running a playbook? Or am I approaching the use of vault values the incorrect way?
Thank you!
Where in the playbook are you specifying the vault file? Is it in vars_files or somewhere else?
The file is in group_vars
I explicitly loaded the file in the playbook and it seems to have resolved the issue.
vars_files:
Inventory variables are resolved after roles are read in, so yes moving the vault file to the vars_files section is the correct placement.
But having a non-inventory variable file within group_vars is not a good
idea to me ( see also the other thread I just replied on).
I you happen to have a group 'secret' , thise will also get the secrets,
which might not be what you intended.
Agree with Serge above on “group_vars” being a confusing name for this.
But yes, the fact that a file needs a vault password will be detected at the point that file is read.