Ansible: How to pass multiple password files to playbook

Question

When I run an Ansible playbook, how do I pass multiple password files on the command line?

I want to run this:

ansible-playbook --vault-password-file /path/to/vault-password-file my_playbook.yml

but I want to pass multiple password files, because I use multiple variables in the playbook that use different passwords that are stored in different password files.

How do I do that?

(I'm using Ansible 2.9.16, but can upgrade to 2.10.x if that helps, I'm not bound to any specific version)

Answer 1

You can leverage the vault-ids concept(Introduced in Ansible v2.4) to fix your problem. Sample command below,

ansible-playbook --vault-id dev@dev-password --vault-id prod@prompt site.yml

dev -> Is the vault ID

dev-password -> Points to the password to be used

prod -> Another vault ID

prompt -> Prompts for the password

Ansible Docs for complete workflow and setup: https://docs.ansible.com/ansible/2.6/user_guide/vault.html#vault-ids-and-multiple-vault-passwords

Vault IDs setup with existing password files

1. Ansible config file setup

vault_identity_list = vaultid1@~/path_to_pass1_file/.pass1 , vaultid2@~/path_to_pass2_file/.pass2

2. Encrypt the file using the respective vaultid

ansible-vault encrypt --encrypt-vault-id vaultid1 file_to_be_encrypted_1 ansible-vault encrypt --encrypt-vault-id vaultid2 file_to_be_encrypted_2

3. Run your playbook and it will automatically pick the configuration from the ansible.cfg and decrypt the contents.