In 2.4, you can use multiple vault passwords.
You can have multiple vaulted files and each file can have a different vault password (multiple vaulted files can also share the same password).
Yaml files can included embedded vaulted variables with each embedded vault using a different password (in the same file, or spread across multiple yaml files)
The docs are just getting started, but
https://groups.google.com/d/msg/ansible-project/qG4n_Psys44/675CBpjVAAAJ has an overview and some examples if you want to try it.
I would appreciate any feedback!
With 2.4, for you use case, I would create a vault password file for each secret. For example:
$ ls *_vault_secret
dev_vault_secret
stage_vault_secret
prod_vault_secret
admin_vault_secret
Then I would encrypt each playbook file that needs encryption with the approriate vault-id.
For ex, if there is a set of db_password files to deploy to app servers:
files/dev_db_password
files/stage_db_password
files/prod_db_password
files/admin_db_password
ansible-vault encrypt --vault-id dev@dev_vault_secret files/dev_db_password
ansible-vault encrypt --vault-id stage@stage_vault_secret files/stage_db_password
ansible-vault encrypt --vault-id prod@prod_vault_secret files/prod_db_password
ansible-vault encrypt --vault-id admin@admin_vault_secret files/admin_db_password
# the '--vault-id admin@admin_vault_secret' means 'use the vault-id "admin" and its password from "admin_vault_secret"
To run 'dev_site.yml' with the dev and stage secrets:
ansible-playbook --vault-id dev@dev_vault_secret --vault-id stage@stage_vault_secret dev_site.yml
dev_db_password will be decrypted with the 'dev' vault-id (the password from dev_vault_secret) etc.
The admins could use:
ansible-playbook --vault-id admin@admin_vault_secret --vault-id stage@stage_vault_secret stage_site_db_truncate.yml
[looking at your example, I see that it will be useful to be able to specify a list of vault ids in ansible.cfg. Currently, devel/ code can
use the existing vault_password_file config to specify a single default vault id, but I'll try to get something like a 'ansible_vault_id_list'
config variable added as well]
Note that with default config, if you provide a vault-id that is not used or fails to decrypt something, that doesn't cause a failure as long as some other vault-id (or --vault-password-file or --ask-vault-pass does). ie, you can provide extra unused vault-ids on the cli.