Need keys for vaulted group vars
26 views
Skip to first unread message
j.barrett Strausser
Aug 30, 2016, 9:42:46 AM8/30/16
to Ansible Project
Running Ansible - 1.9.4
I have a number of group_vars that are vaulted.
I have an inventory file, some of the hosts are in vaulted groups. Others are not. For instance I might have different roles in the Backend that need database passwords that are stored in vaulted group vars, other like FrontEnd roles do not.
When I limit my run to the hosts that do not need a vault key, I'm still prompted for a key for roles that the host is not a part of.
Both types of roles are in a common role called cloud: that has shared non-vaulted information.
Example:
ansible-playbook cloud_entry.yml --limit static-asset-servers --inventory cloud_inventory
ERROR: A vault password must be specified to decrypt /home/barrett/Git/ansible/group_vars/vault-backend.yml
The static-asset-servers hosts are not in any group that ultimately leads to the vault-backend group
Is my only solution to split my inventory into different files?
Doing this will defeat my putting the hosts in a common Cloud group though
-barrett
I have a number of group_vars that are vaulted.
I have an inventory file, some of the hosts are in vaulted groups. Others are not. For instance I might have different roles in the Backend that need database passwords that are stored in vaulted group vars, other like FrontEnd roles do not.
When I limit my run to the hosts that do not need a vault key, I'm still prompted for a key for roles that the host is not a part of.
Both types of roles are in a common role called cloud: that has shared non-vaulted information.
Example:
ansible-playbook cloud_entry.yml --limit static-asset-servers --inventory cloud_inventory
ERROR: A vault password must be specified to decrypt /home/barrett/Git/ansible/group_vars/vault-backend.yml
The static-asset-servers hosts are not in any group that ultimately leads to the vault-backend group
Is my only solution to split my inventory into different files?
Doing this will defeat my putting the hosts in a common Cloud group though
-barrett
Brian Coca
Sep 20, 2016, 11:30:27 AM9/20/16
to ansible...@googlegroups.com
The group/host_vars are ALWAYS loaded as the inventory needs to exist BEFORE ansible can validate the hosts it needs.
If you need those vaulted files to only be available for certain plays, move them out of group/host_vars and use vars_files/include_vars.
----------
Brian Coca
Reply all
Reply to author
Forward
0 new messages