[thinkmassive]

> you need to supply the password when you run the playbook

You can also specify vault-password-file in ansible.cfg [1] It can be a shell script rather than plaintext, so you can use it to call the CLI password manager "pass"[2] for instance. This is handy for automation.

[1] http://docs.ansible.com/ansible/latest/intro_configuration.h... [2] https://www.passwordstore.org/

[ams6110]

Of course if you're putting the encryption password in ansible.cfg you might as well just leave the original file unencrypted.

[linsomniac]

The parent's recommendation was to put a filename into the ansible.cfg, and that file could contain either the password, or a script that is then run which prints the password to stdout. For example, we have the script pull the password from a gpg-encrypted file.

[finnh]

That's not what GP said. "vault-password-file" != "vault-password".

[Johnny555]

Even if you do put a plaintext password into ansible.cfg, encrypting secrets in the playbook is still worthwhile so you don't commit them to your source code repository or accidentally share the secrets with the world when you publish your playbooks.