When are vault values resolved during playbook?

[Derptacos]

I have a playbook that requires a value from a vault - but I am consistently running into issues regarding the existence of this variable (lets call this variable private_key)

In the vault I have:

foo:

    private_key: | 
    "........."

In the playbook I have:

    - { role: bar, bar: {

                                'private_key': '{{foo.private_key}}',

                              } 

     }

The error itself: One or more undefined variables: 'dict object' has no attribute 'private_key'

When are the values within the vault resolved when running a playbook? Or am I approaching the use of vault values the incorrect way?

Thank you!

[James Cammarata]

Where in the playbook are you specifying the vault file? Is it in vars_files or somewhere else?

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2b26dd67-f214-4e2c-ab22-57d02a27c108%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Derptacos]

The file is in group_vars

[Derptacos]

I explicitly loaded the file in the playbook and it seems to have resolved the issue.

vars_files:

  - group_vars/secret.yml

[James Cammarata]

Inventory variables are resolved after roles are read in, so yes moving the vault file to the vars_files section is the correct placement.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6e3ea10a-98b1-4ce2-a516-756584313698%40googlegroups.com.

[Serge van Ginderachter]

On 21 May 2014 16:44, James Cammarata <jcamm...@ansible.com> wrote:

Inventory variables are resolved after roles are read in, so yes moving the vault file to the vars_files section is the correct placement.

​But having a non-inventory ​variable file within group_vars is not a good idea to me ( see also the other thread I just replied on).

I you happen to have a group 'secret' , thise will also get the secrets, which might not be what you intended.

[Michael DeHaan]

Agree with Serge above on "group_vars" being a confusing name for this.

But yes, the fact that a file needs a vault password will be detected at the point that file is read.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEhzMJAhm06Yc28%2BsuNZaAkM%3D4GWoqHvRhn5g%2BrBV-71%3D%3DGpMg%40mail.gmail.com.