The ansible-vault command can be used to perform a number of tasks.

• ansible-vault create - create an encrypted file
• ansible-vault decrypt - decrypt and encrypted file
• ansible-vault edit - edit an encrypted file
• ansible-vault encrypt - encrypt a non-encrypted file
• ansible-vault encrypt_string - encrypt a string
• ansible-vault rekey - change password used to view or decrypt an encrypted file
• ansible-vault view - view the cleartext contents of an encryped file

Additionally, there are a few command line options to be aware of.

• --ask-vault-pass - prompt for the vault password
• --vault-id - use a specific users password in a file
• --vault-password-file - use a single password in a file

This assumes you have created the Ansible Vault password file. Let's say the password file is:

/usr/local/vault/.vault_password.txt

Let's say .vault_password.txt contains the following.

test:testpassword
prod:prodpassword

A vault password file can be used to provide the vault password when:

• Creating a new encrypted file using the ansible-vault create command
• Creating an encrypted key:value pair using the ansible-vault encrypt_string command
• Decrypting an encrypted file using the ansible-vault decrypt command
• Editing an encrypted file using the ansible-vault edit command
• Encrypting an unencrypted file using the ansible-vault encrypt command
• Viewing the content of an encrypted file using the ansible-vault view command

Let's say foo.txt was created using --vault-id with the "test" password.

~]$ ansible-vault create --vault-id prod@/usr/local/ansible/vault/.vault_password.txt foo.txt

In this example, foo.txt will contain the "test" id.

~]$ cat foo.txt
$ANSIBLE_VAULT;1.2;AES256;test
38626262613533326438383838363032346366643231633838393661633061633830383832643062
6666663233666435636165323038653462343732343264310a616532376238616537613832363565
63336561303230626332326436303830356335343061386333636131386435316633396464353832
3631303831333164610a393266346630313635313831626639303961663330333736393236373032
3062

You can view foo.txt by including the --vault-id command line option and you will not be prompted for the vault password.

ansible-vault --vault-id test@/usr/local/vault/.vault_password.txt view foo.txt

Or, let's say you are using the --ask-pass flag with the ansible-playbook command.

ansible-playbook foo.yml --ask-pass

You could instead use the --vault-password-file command line option. In this example, .vault_password.txt would be an unencrypted cleartext file that contains the password used to make an SSH connection to the managed nodes.

ansible-playbook foo.yml --vault-password-file /usr/local/vault/.vault_password.txt

The great advantage to this approach is that you wouldn't need to use the --vault-password-file or --vault-id command line options.

ansible-vault view foo.txt