If you are not familiar with the Ansible Vault, check out my article Getting Started with the Ansible Vault.

The Ansible Vault Password file is typiically used with two other Ansible commands.

• The ansible-vault command
• The ansible-playbook command

For example, let's say you used the ansible-vault create command to create an Ansible Vault encrypted file in the group_vars/all directory named vault.yml.

ansible-vault create group_vars/all/vault.yml

Now, if you want to view the group_vars/all/vault.yml file using the ansible-vault view command or edit the group_vars/all/vault.yml file using the ansible-vault edit command, you will be prompted for the Ansible Vault password.

~]# ansible-vault view group_vars/all/vault.yml
Vault password:

Similarly, if you use the ansible-playbook command and do not include the --ask-vault-pass command like flag, the following error will probably be returned. Check out my article Resolve "Attempting to decrypt but no vault secrets found" for more details on this.

ERROR! Attempting to decrypt but no vault secrets found

Of course, you could include the --ask-vault-pass command like flag and enter the Ansible Vault password.

However, it almost always makes more sense to create a Vault Password file, and then use the --vault-password-file command line option (if you are going to use the same password for all of the ansible-vault and ansible-playbook commands).

ansible-vault create --vault-password-file /usr/local/ansible/vault/.vault_password.txt group_vars/all/vault.yml

First, create a file. The file can be named anything you want. The file doesn't have to be hidden, but often is.

touch .vault_password.txt

Ensure only the owner of the file and create and write to the file.

chmod 0600 .vault_password.txt

If you have a single password that is being used with every ansible-vault command, append your vault password to the file.

echo "itsasecret" > .vault_password.txt

If you have different passwords being used, append each key:value pair to the file.

echo "test:testpassword" >> .vault_password.txt
echo "prod:prodpassword" >> .vault_password.txt

You can then use the --vault-password-file command line option (if you are going to use the same password for all of the ansible-vault commands) . . .

ansible-vault --vault-password-file /usr/local/ansible/vault/.vault_password.txt view vault.yml

Or the --vault-id command line option (if you want to use different passwords).

ansible-vault create --vault-id test@/usr/local/ansible/vault/.vault_password.txt vault.yml

Or you could set the vault_password_file directive in your ansible.cfg file.

[defaults]
vault_password_file = /usr/local/ansible/vault/.vault_password.txt

Or, you could use the ANSIBLE_VAULT_PASSWORD_FILE environment variable to set the path to the vault password file. This is useful if you need to temporarily override vault_password_file in ansible.cfg.

export ANSIBLE_VAULT_PASSWORD_FILE=/usr/local/vault/.vault_password.txt

In this scenario, you wouldn't need to use any of the vault password command line options (--ask-vault-pass or --vault-password-file or --vault-id).

ansible-vault create vault.yml

However, my favorite option is to:

1. Create an Amazon Web Services (AWS) Secret that contains the Ansible Vault password
2. Create an Amazon Web Services (AWS) Lambda Function that get the Ansible Vault password from the Secret
3. Create an Amazon Web Services (AWS) API Gateway that forwards GET request onto the Lambda Function
4. Create a script (such as a Python script) that submits a GET request to the API Gateway, which should return the Ansible Vault password

For a walk through on this, check out my article Get Ansible Vault password from Amazon Web Services (AWS) Secrets Manager. You would then be able to have the --vault-password-file command line option reference the script that returns the Ansible Vault password from Amazon Web Services.

ansible-playbook example.yml --vault-password-file ./ansibleVault.py