If you are not familiar with the Ansible Vault, check out my article Getting Started with the Ansible Vault.

Let's say you have created an Ansible Vault encrypted file using the ansible-vault create command. For example, perhaps you created a file named vault.yml in the group_vars/all directory.

ansible-vault create group_vars/all/vault.yml

And let's say the vault.yml files contains the postgres_pw variable.

postgres_pw: itsasecret

And you have a playbook that contains the postgres_pw variable.

---
- hosts: postgres
  tasks:
  - community.postgresql.postgresql_query:
      db: mydb
      login_user: john.doe
      login_password: "{{ postgres_pw }}"
      query: SELECT * FROM mytable
...

This assumes you have created the Ansible Vault password file. Let's say the password file is:

/usr/local/vault/.vault_password.txt

In this scenario, the vault.yml file will need to be decrypted when running the postgres playbook. This is often done by using the --vault-password-file command line option and pointing to a TXT file that contains the password that can be used to decrypt the vault.yml file, perhaps like this.

ansible-playbook postgres.yml --inventory inventory.yml --vault-password-file /usr/local/vault/.vault_password.txt

Similarly, the --vault-password-file command line option can be used with the ansible-vault command. For example, to view a vault encrypted file (foo.txt).

ansible-vault --vault-password-file /usr/local/vault/.vault_password.txt view foo.txt

The ansible-vault command can be used to perform a number of tasks.

• ansible-vault create - create an encrypted file
• ansible-vault decrypt - decrypt and encrypted file
• ansible-vault edit - edit an encrypted file
• ansible-vault encrypt - encrypt a non-encrypted file
• ansible-vault encrypt_string - encrypt a string
• ansible-vault rekey - change password used to view or decrypt an encrypted file
• ansible-vault view - view the cleartext contents of an encryped file

Additionally, there are a few command line options to be aware of.

• --ask-vault-pass - prompt for the vault password
• --vault-id - use a specific users password in a file
• --vault-password-file - use a single password in a file

A vault password file can be used to provide the vault password when:

• Copying an encrypted file to managed nodes using the copy module
• Creating a new encrypted file using the ansible-vault create command
• Creating an encrypted key:value pair using the ansible-vault encrypt_string command
• Decrypting an encrypted file using the ansible-vault decrypt command
• Editing an encrypted file using the ansible-vault edit command
• Encrypting an unencrypted file using the ansible-vault encrypt command
• Viewing the content of an encrypted file using the ansible-vault view command