Bootstrap FreeKB - Ansible - Create variables for groups of nodes using group_vars
Ansible - Create variables for groups of nodes using group_vars

Updated:   |  Ansible articles

Following are the differet ways that variables can be set in Ansible. This list is in the order of precedence, where the option higher in the list takes precedence over options lower in the list.

The group_vars directory can be used to create variables that can be used by:

  • all managed nodes (e.g. target systems)
  • certain managed nodes (e.g. target systems)

For example, let's say main.yml contains variables, perhaps something like this.

foo: "Hello World"
  - development
  - staging
  - production


Variables defined in the group_vars/all/main.yml​ file will be available to all target servers, whereas variables defined in the group_vars/dev/main.yml​ file would only be available to target servers that are part of the "dev" group.

Let's say you have a group of dev and prod servers in your default hosts file or your own inventory file.



In this scenario, you could create files in the group_vars directory like this.



Or like this.




If both group_vars/all.yml and group_vars/all/main.yml exist, group_vars/all/main.yml will take precedence over group_vars/all.yml.

In this example:

  • variables in groups_var/all would be made available to all hosts (both the dev and prod hosts)
  • variables in groups_var/dev would only be available to the dev hosts
  • variables in groups_var/prod would only be available to the prod hosts


Here is an example of how a playbook could be set to all (or dev, or prod).

- hosts: all
  - debug:
      var: foo

  - debug:
      var: environments


Which should return something like this.

TASK [debug]
ok: [] => {
    "var": "Hello World"

ok: [] => {
    "environments": [


Encrypted Ansible Vault File

You could also create an encrypted file using the ansible-vault create command in one of the group_vars directories.

ansible-vault create groups_var/all/vault.yml


Let's say groups_var/all/vault.yml contains the following.

bar: World


Let's say your playbook contains the "bar" variable.

- hosts: all
  - debug:
      var: bar


When using the ansible-playbook command to run your playbook, you could use the --ask-vault-pass option.

ansible-playbook example.yml --ask-vault-pass


And you will be prompted for the vault password.

Vault password:


Or, to avoid being prompted for the vault password, you could create a vault password file, and then use the --vault-password-file command line option (if you are going to use the same password for all of the ansible-vault commands) . . .

ansible-playbook example.yml --vault-password-file /usr/local/ansible/vault/.vault_password.txt


Or the --vault-id command line option (if you want to use different passwords) 

ansible-playbook example.yml --vault-id john.doe@/usr/local/ansible/vault/.vault_password.txt


Or you could set the vault_password_file directive in your ansible.cfg file.

vault_password_file = /usr/local/ansible/vault/.vault_password.txt


In this scenario, you wouldn't need to use any of the vault password command line options (--ask-vault-pass--vault-password-file--vault-id).

ansible-playbook example.yml


The playbook should then output the following, where the value of the "bar" variable in the encrypted groups_var/all/vault.yml file is returned.

TASK [debug]
ok: [] => {
    "var": "World"


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Add a Comment

Please enter 586369 in the box below so that we can be sure you are a human.