I think the think you are missing here is that whatever is in group_vars (either a file or a directory) needs to match up with the name of a group in your inventory file (unless you using the magic 'all' group, which applies to all hosts).
So you might wind up with 3 files in different directories like this group_vars/development/vault group_vars/testing/vault group_vars/production/vault then in your inventory all the variables in group_vars/development/vault would apply to any hosts belonging to a group called [development] host1 host2 You'd then need to encrypt them like this: ansible-vault encrypt group_vars/development/vault ansible-vault encrypt group_vars/testing/vault ansible-vault encrypt group_vars/production/vault You can use the vaulted variables anywhere you can use ordinary variables, but you'll need to supply the vault password to your playbook runs (or you can specify a path to a file containing the vault password in your ansible.cfg file if that makes sense for you). Jon On Friday, December 9, 2016 at 10:57:13 PM UTC, Dave B wrote: > > I'm using Ansible to orchestrate a bunch of VM, as expected. I want to run > commands as root, so I have the root password in a file in group_vars, so > /etc/ansible/group_vars/vault, which I've encrypted with ansible-vault. > > I understand from the Best Practices > http://docs.ansible.com/ansible/playbooks_best_practices.html#best-practices-for-variables-and-vaults > > that I'm to use a file containing the passwords that's encrypted and then > another referencing those. So I have > group_vars -> vault > -> vars > > cat vars > ansible_become_user=vault_ansible_become_user > ansible_become_pass=vault_ansible_become_pass > > And then those variables are assigned in vault. > > I'm totally not sure how then to use these or reference them. Any > advice/guidance would be good. > > Thanks > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6410636b-a207-4908-8350-97c5a6ed2c77%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
