Bootstrap FreeKB - Ansible - --vault-id command line option
Ansible - --vault-id command line option

Updated:   |  Ansible articles

If you are not familiar with the Ansible Vault, check out my article Getting Started with the Ansible Vault.

The ansible-vault command can be used to perform a number of tasks.

Additionally, there are a few command line options to be aware of.

 

This assumes you have created the Ansible Vault password file. Let's say the password file is:

/usr/local/vault/.vault_password.txt

 

Let's say .vault_password.txt contains the following.

test:testpassword
prod:prodpassword

 

A vault password file can be used to provide the vault password when:

 

Let's say vault.yml was created using --vault-id with the "test" password.

~]$ ansible-vault create --vault-id prod@/usr/local/ansible/vault/.vault_password.txt vault.yml

 

In this example, vault.yml will contain the "test" id.

~]$ cat vault.yml
$ANSIBLE_VAULT;1.2;AES256;test
38626262613533326438383838363032346366643231633838393661633061633830383832643062
6666663233666435636165323038653462343732343264310a616532376238616537613832363565
63336561303230626332326436303830356335343061386333636131386435316633396464353832
3631303831333164610a393266346630313635313831626639303961663330333736393236373032
3062

 

You can view vault.yml by including the --vault-id command line option and you will not be prompted for the vault password.

ansible-vault --vault-id test@/usr/local/ansible/vault/.vault_password.txt view vault.yml

 

Or, let's say you are using the --ask-pass flag with the ansible-playbook command.

ansible-playbook example.yml --ask-pass

 

You could instead use the --vault-password-file command line option. In this example, .vault_password.txt would be an unencrypted cleartext file that contains the password used to make an SSH connection to the managed nodes.

ansible-playbook example.yml --vault-password-file /usr/local/ansible/vault/.vault_password.txt

 

Or you could set the vault_password_file directive in your ansible.cfg file.

[defaults]
vault_password_file = /usr/local/ansible/vault/.vault_password.txt

 

In this scenario, you wouldn't need to use any of the vault password command line options (--ask-vault-pass--vault-password-file--vault-id).

ansible-playbook example.yml

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


November 17 2022 by John DB
Do you mean to imply that a vault password file can hold more than one distinct password, indexed by a Vault ID? This seems not to be the case in my tests, although I wish it was true. If you have a working example with these vault password lines, edit the file and move the top line (test) underneath "prod". Then see if your existing vaults can still be decrypted. test:testpassword prod:prodpassword

November 21 2022 by Urs S
Indeed, I'm am agree with John. In my point of view, there are serveral mistake. "ansible-vault --vault-id test@/usr/local/ansible/vault/.vault_password.txt view vault.yml" --> this command is not accepted by ansible-vault command. And the desirable way to use multi password in one file is not working. If you remove one id which is not used, the decryption would not work anymore.

June 08 2023 by Alexey
Isn't there an error in "ansible-vault create --vault-id prod@/usr/local/ansible/vault/.vault_password.txt vault.yml"? It seems to me, "test@..." should be here instead of "prod@". Because just above written "Let's say vault.yml was created using --vault-id with the "test" password."

Add a Comment


Please enter 5b949a in the box below so that we can be sure you are a human.