ansible-vault | : key : Ansible role for Hashicorp Vault | DevOps library

In order to connect to a windows host I will need to pass the credentials in an inventory file. Here's my inventory file:

I've been searching all over but there's not much on what should the Ansible vault password file look like.

For example I would like to do:

i have below script while gets some command output from a host and keeps that into a file /tmp/${stcl}_aggr.txt, further this file is placed to a variable body=$(cat /tmp/${stcl}_aggr.txt)

While calling this Variable body into a Jason arrays as "description": "$body" its value is not getting expanded and resulting in error as KeyError: 'result', and the varible like incident_number, curloutput also not working while if i remove that body for "description": then script will run but the i need "description": value to be uploaded.

Apologies for the lengthy post. I am a relatively newbie to Ansible and Vault (<2 months).

Environment:

• CentOS & Win2019 (90% Linux systems)
• Ansible 2.10.7 (master Ansible controller)
• AWX 17.0.1 (embedded ansible 2.9.17)

Ultimate goals:

• Use the same code from Git for both environments (Prod & Test)
• Ability to separate the 'secrets' values based on which environment

Basic Setup (currently):

• Ansible master controller is designed to be completely self-starting. Meaning all the settings/configs are contained within playbooks. This means I can blow-up the ANS controller and rebuild with 3 min.
• All secrets are encrypted strings within a variable file. Due to the fact AWX cannot import an vaulted file, all secrets are in-line (ansible-vault encrypt_string 'secret_data' --name 'my_secret')
• Same user accounts exists in both environments but different creds

Current Issues:

• If was to import the Git repo into my Prod Ansible master controller, any plays requiring secrets would fail (due it has the secret variable with the 'Test' values)

Thoughts to resolve:

• I thought about using the ansible 'default' function for any secret combined with a 'when' conditional based on the Inventory file. Basically if the inventory file is a 'Test' based system, use 'Test' secrets. If not, then use 'Prod' secrets.

This is an ugly solution from my perspective and must be a better solution.

• Use Hashicorp Vault. It has the ability to use namespace trees to classify creds. I have not played with this idea yet and not sure how viable it is.

I wonder what others in the industry are doing for this same problem. This is not unique issue and sure there are best practices for this situation.

Thanks

I've created an encrypted credent.yml file with this content:

I'm using ansible-vault 2.10.5. According to the encrypt_string documentation, I can use --output to save the encrypted result. The doc says:

--output

output file name for encrypt or decrypt; use - for stdout

But I tried several commands and the result seemed to always be printed to the console. For example:

I have a kubernetes secrets manifest in the form of secret.j2 file which has a password key. This password key is supposed assigned a value from an ansible-vault encrypted string present in a dev.yml file. This dev.yml looks like below:-

I have a csv file containing ip addresses and passwords. These passwords need to be encrypted and written to a file.

This is what I have tried so far:

I have a dynamic inventory set up which pulls hosts and their variables from a MySQL database. The dynamic inventory itself is working perfectly.

Some of the variables inside the inventory are sensitive so I would prefer not to store them as plain text.

So as a test I encrypted a value using: