I'm running Ansible 2.6.2 and trying to wrap my head around the --vault-id and multiple vault passwords <https://docs.ansible.com/ansible/latest/user_guide/vault.html#vault-ids-and-multiple-vault-passwords> .
As I understand it, the usefulness it is bringing is that different users can have their playbook decrypt their teams version of the variable and we don't have to create different vaulted files for each environment. I'm having trouble determining how to setup the variable file properly. To test this, I setup a simple test like this: # Setup a simple playbook to pull in the variable file then show the encrypted data: # The "validate_dev.yml" playbook: --- - hosts: localhost become: yes gather_facts: no tasks: - name: "Read in the password file." include_vars: file: "the_secrets.yml" - name: "The value of the_password variable." debug: msg: "The value of the_password is {{the_password}}." # 1 - Setup the development and production encryption/decryption keys. echo -n DevDecryptKey > dev_decrypt_key.txt echo -n ProdDecryptKey > prod_decrypt_key.txt # 2 - Build the vaulted "the_secrets.yml" file for dev and prod echo -n "DevPassW0rd!" | ansible-vault encrypt_string --vault-id dev@dev_decrypt_key.txt --stdin-name "the_password" | tee -a the_secrets.yml echo -n "ProdPWD!" | ansible-vault encrypt_string --vault-id prod@prod_decrypt_key.txt --stdin-name "the_password" | tee -a the_secrets.yml # 3 - Show the the_secrets.yml file: # Note that it contains the "the_password" variable twice, the first with the "dev" vault ID, the second with the "prod" vault ID. the_password: !vault | $ANSIBLE_VAULT;1.2;AES256;dev 38333335626439323236303337313065353533643537623737663932653864333466333231393830 3530626365303535396237643932373437323438643235660a373235336330663762323134393436 62643134316438326135366637623831666436633331333333343464636435373564613432373564 3664393736333062650a666531336463393162376335386438393664303265633937633935386666 6631 the_password: !vault | $ANSIBLE_VAULT;1.2;AES256;prod 64326635306363636338353930313564353639326166326531613362383730633539343164376432 6462393037353831626361633536356135363235623039350a626561313137396330653738303665 64353963363538653039633739336266646333353433386130643538656266646537616361643437 3534373736323331640a323934316138323737636363303663353932383965386664353630383132 31656565313030633161306531363135623536383733663133353032393532313736 # 4 - Try to execute for the devn then prod keys ansible-playbook -l localhost -e ansible_connection=local --vault-id ./prod_decrypt_key.txt ./validate_dev.yml *THIS WORKS *- presumably because "the_password" variable was defined twice and the second one (prod) overwrote it. ansible-playbook -l localhost -e ansible_connection=local --vault-id ./dev_decrypt_key.txt ./validate_dev.yml *THIS FAILS *- presumably because "the_password" variable was defined twice and the second one (prod) overwrote it. I assume the file containing the vaulted password ("the_secrets.yml") needs to be setup differently, but I can't find where that format/usage is documented. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ea9af1b1-b871-4986-8b22-e0c4fa3c9a63%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.