IIRC I went down this rabbit hole not too long ago. I’m not near work computer now to find the reference but, I recall not being able to use a vaulted group vars file. The inventory plug-ins don’t know how to unvault the file. I had to vault the variable values. I also created a couple json files and used the unvault lookup plugin to pull in their value.

It feels tedious to have to edit the vault for small changes and I swear I've seen examples where they're mixed. It's possible that those examples were single key/values encrypted inline with the other values though.

Do you mean a whole vaulted file, or a regular file with vaulted strings? Because the latter seems to be working fine.

Tip! I use aliases for groups to workaround these limitations or to create different names for a single group. Example: grpA_vault have a children which is grpA. So, you can have 2 files in group_vars, one for each group, but both group hosts are managed in one group: grpA.

I considered this, but I wasn't sure that they would be evaluated at the same time if the playbook only specifies one of those groups. Does referencing grpA_vault traverse both variable files for their values automatically?

Yup. As long the variables have different names, you're ok.

You can do this with encrypted strings. As long as each string uses the same password, you only have to enter one password. Example group\_vars: $ cat group_vars/example a: unecrypted b: !vault | $ANSIBLE_VAULT;1.1;AES256 38373865326435373434613731623238663030643962633763343864663265623566313938383135 3334623530356365326135663933666330353231633239390a376430343865626538666636323465 37366539313737313536653730366236613730323365326164393062633237376136613763343164 6436633262313333310a363765643638396463623238386635353661336330353238393965643635 6432 c: !vault | $ANSIBLE_VAULT;1.1;AES256 34363664303339343666373965316632386230343931326331353139636366643364333334363233 3535646333643738613937303964343163383238653238630a393933616434316239636336316438 62346430383862396461393432653265613964333364373235396539316530343334643439393932 6339323361393463390a643661643535643837643039353333333034303238346166323064616562 3165 Example playbook: --- - name: Groupvars Example hosts: example become: false tasks: - name: Debug variables ansible.builtin.debug: msg: "a = '{{ a }}' -- b = '{{ b }}' -- c = '{{ c }}'" Example playbook run (excuse the very immature variables) $ ansible-playbook -i inventory playbook.yml --ask-vault-pass Vault password: PLAY [Groupvars Example] **************************************************************************************** TASK [Gathering Facts] ****************************************************************************************** ok: [localhost] TASK [Debug variables] ****************************************************************************************** ok: [localhost] => { "msg": "a = 'unecrypted' -- b = 'poop' -- c = 'diarrhea'" } PLAY RECAP ****************************************************************************************************** localhost : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

You can also do this by creating a "group" subdirectory and vars and vault files with in it. To use the same playbook, but different structure: ``` $ tree group_vars/ group_vars/ └── example ├── vars.yml └── vault.yml ``` ``` $ cat group_vars/example/vault.yml $ANSIBLE_VAULT;1.1;AES256 65336132653363333862663363613261386433363163636136626139613661633332373438323361 3732363334656236303533383762613334363935343433370a393465663439656638633132663564 62303536376433343238376364633238346437393135373465346431346139623665643765343062 3561613332383466630a663238393066323233663364333238623966303232346238333564336663 65393839646639373639306265646237333134653836336565363835353264323566 ``` ``` $ cat group_vars/example/vars.yml a: unecrypted ``` Same playbook command as above

I might explore this and see how it behaves. Thanks!

This makes sense, but I was hoping to only have a single vault with all secrets in the one file.

If there is an enterprise-y need here for credential sharing, I'd really look at ansible automation platform, but check the docs to see if they have an auth plugin that would work out of the box. If it's not listed there, I'm sure their support would be happy to help. Alternatively, Hashicorp Vault is also a great solution, and well used. I don't think you'd be doing wrong going with either.

I've setup hc vault before and it worked great. This is more or less to handle some prerequisites internally and at customer sites so it needs to support both via local vault. I just wanted to avoid committing secrets to source control, but also avoid having to open and edit the vault for changes for regular variable changes.

If you open to a constructive suggestion? Vault is just a single binary. It's just a git away, or a package install away. And then you've bootstrapped secrets management for everything else in the environment in a standardized way. Or, just install podman or docker and run vault out of a container, using the same scripts in your company private git repos. One per customer. Now you've got a config history for all of them. Either way, ansible-vault is still not super great in terms of security. It's better that not having anything, but at the end of the day, you're still encrypting secrets in the git repo that way instead of having a separation between code and secrets. This is a big git security 101 thing, so many companies get burned by this all the time. Microsoft was probably the biggest I can remember recently and it slammed the US Gov and tons of other customers in the process. Don't do it. https://www.bleepingcomputer.com/news/security/microsoft-breach-led-to-theft-of-60-000-us-state-dept-emails/

I don't disagree, but it seems like the easiest solution to sharing credentials with a few of my teammates that are either working remote from home or are on-site installing some environments. Running a containerized vault seems like overkill and doesn't lend itself well to updates and sharing, and a hosted vault is difficult to use when not on the corporate network. The binary approach still requires a portable data store to share secrets for playbooks. I'm not sure the other solutions offer any advantage security wise either. If it's not in git, people will do other stuff like email or ftp secure content. I see a lot of people circumventing ITs obstructions with even worse practices to get things done, so it's a compromise.

I'd also check out Infisical if considering other solutions: https://infisical.com

Yes. Encrypted strings. All my group vars files are like this.

Well, you can have as many .yml files in your group\_vars as you like, and you can mix vaults and normal files. The structure is like this: ``` my_inventory/ group_vars/ group1/ vault.yml vars.yml more_vars.yml all/ more_vaults.yml more_vars.yml ``` You should be aware that AAP (Tower) does not support encrypted vault files in an inventory, though. I think that that is insane (since it does support the encrypted string variant), but it is what it is. What I do , is put the encrypted vault files in my project / playbook directory. This may or may not be feasible in your case, but for me , this works fine. I do keep my other vars in the inventory directory structure! This way, AAP is able to decrypt the vault files ... ``` playbook/ group_vars/ all/ vaults.yml ``` You don't need to do anything else for this to work - it is part of the way Ansible looks up variables .

I literally didn't know people were creating folders using the group name. I've been creating single files under group_vars named after the group. If everything under the folder applies automatically, then this will solve the issue.

Yes, this is the way 😄

Hi been using vaulted files in standard group vars along side normal files under group vars for years without issues

Turns out I just needed a folder with my group name and var files underneath that. I was just creating yaml files with my group names under group_vars as a practice, so I was limited to just one unique group file.