What is Ansible's config equivalent of `--vault-password-file`?

Question

According the help of ansible-playbook one could use --user=REMOTE_USER to define the ssh user, but one could also define ansible_ssh_user: REMOTE_USER in either the host- or group_vars.

Question

What variable need to be defined in either the group- or host_vars directory to prevent that --vault-password-file has to be defined while running ansible-playbook?

Attempts

• When ansible_vault_password_file: ~/.vault_pass.txt is defined in the config the decryption fails:

  ERROR! Decryption failed on /path/to/vault
  

• No associated vault variables was found in this documentation

Answer 1

Here is the definition:

DEFAULT_VAULT_PASSWORD_FILE = get_config(p, DEFAULTS, 'vault_password_file', \
'ANSIBLE_VAULT_PASSWORD_FILE', None, value_type='path')

---

This means that you either put in ansible.cfg or playbook:

vault_password_file: ~/.vault_pass.txt

Or in your shell defined this variable:

export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt

Answer 2

You can set an environment variable ANSIBLE_VAULT_PASSWORD_FILE storing the path the the vault password file. This way you won't have the always use the --vault-password-file switch when running a playbook.

This is described in Ansible's Vault documentation, available here.

So, add export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt to your ~/.bash_profile, source from it and you're ready to go.

If you need different vault passwords for different groups of hosts, then you should do the following:

Inside of this subdirectory, create two files named vars and vault. Inside of the vars file, define all of the variables needed, including any sensitive ones. Next, copy all of the sensitive variables over to the vault file and prefix these variables with vault_. You should adjust the variables in the vars file to point to the matching vault_ variables and ensure that the vault file is vault encrypted.

This is an example for best practices approach for managing sensitive information on per group basis. More information is available in Ansible's documentation here (The above text is copied from there).