Is this being done because some team members might leave the team later and no longer need access to something?
Another solution might be a credential in Ansible Tower - let Tower unlock your vault, and let it give this capability to everybody on the team, but maybe everybody can't read the file. Those who edit the vault -- and can change Tower's knowledge of the vault password - could maybe be kept limited. Trying to understand the use case so that might not be appropriate. On Mon, Nov 3, 2014 at 2:28 PM, Michael DeHaan <[email protected]> wrote: > "How would you suggest we lay out the project/playbooks to support > multiple vault passwords (and on a related note, what do you think of vxd's > suggestion in the reddit thread)?" > > Possibly could do something like the following on the ansible command line > > ansible-playbook site.yml -e @production.yml > > With different vault passwords for: > > production.yml > stage.yml > > But right now, different files in the same run must have the same vault > password. > > This may imply keeping those variables out of inventory, though I'm not > sure it's possible in your case. > > > > > On Mon, Nov 3, 2014 at 10:09 AM, Colin Nichols <[email protected]> > wrote: > >> Hi Michael, >> >> My coworker posted on reddit, his synopsis is a bit shorter and sweeter: >> http://www.reddit.com/r/ansible/comments/2kxg9s/ansiblevault_and_multiple_vault_passwords_in_17/ >> >> How would you suggest we lay out the project/playbooks to support >> multiple vault passwords (and on a related note, what do you think of vxd's >> suggestion in the reddit thread)? >> >> Also, this seems like a recent development (1.7), and based on the reddit >> thread it seems like I'm not the only one who's run across this -- do you >> know what the motivation for the change was? >> >> Thanks, >> Colin >> >> On Saturday, November 1, 2014 10:46:44 AM UTC-4, Michael DeHaan wrote: >>> >>> Ansible will try to load any group variables things referenced by >>> inventory, because it doesn't know what variables you may or may not use. >>> >>> If it's not a path brought in by inventory or vars_files, etc, it would >>> not be loaded. >>> >>> >>> >>> On Thu, Oct 30, 2014 at 6:01 PM, Colin Nichols <[email protected]> >>> wrote: >>> >>>> Hi all, >>>> >>>> I've been using ansible 1.6.x and I love it -- soo much easier than how >>>> I've had to do things in the past :) >>>> >>>> I'm running into an issue upgrading to 1.7.x. Suddenly all my >>>> playbooks refuse to run; ansible errors out saying it needs my vault >>>> credentials. The output looks like this: >>>> >>>> xkillac4@MHK-01:~/project/ansible$ ansible-playbook unittest.yml >>>> ERROR: A vault password must be specified to decrypt >>>> /home/xkillac4/project/ansible/group_vars/vagrant/vault.yml >>>> xkillac4@MHK-01:~/project/ansible$ >>>> >>>> >>>> I feel like I may be missing something obvious, and would really >>>> appreciate it if someone took a look at my example below. >>>> >>>> I boiled the issue down into a toy project, and put it into tarball >>>> here: https://www.dropbox.com/s/gu2t7mymyeio838/ansible- >>>> testcase.tar.gz?dl=0 >>>> (or for the cautious, in a gist here: https://gist.github.com/ >>>> c-nichols/aca08301235ddd5b4014 >>>> >>>> Why does my example error out? Is it expected behavior, given that I >>>> don't need anything from the vault and am not referencing any hosts from >>>> the group with the vault? Why does this example work with ansible prior to >>>> 1.7? >>>> >>>> What do you guys think? Am I missing something obvious? >>>> >>>> Thanks, >>>> Colin >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To post to this group, send email to [email protected]. >>>> To view this discussion on the web visit https://groups.google.com/d/ >>>> msgid/ansible-project/dca55946-e774-4e4c-9bc8- >>>> a3fce732ef0e%40googlegroups.com >>>> <https://groups.google.com/d/msgid/ansible-project/dca55946-e774-4e4c-9bc8-a3fce732ef0e%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/957ad3da-09f3-474d-82d2-41bffd82fcd6%40googlegroups.com >> <https://groups.google.com/d/msgid/ansible-project/957ad3da-09f3-474d-82d2-41bffd82fcd6%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgxaNciiBzJ2%2Bzm24a%3DMHe8geCmve8TmhTSG7YbE8R91Gg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
