How do I invoke ansible-vault encrypt when deploying to production?

growdigital · December 4, 2015, 6:44pm

I’m using Ansible Vault to encrypt usernames and passwords, so I can store the files securely on a public GitHub repo. However, I’m not sure how to invoke a prompt for ansible-vault when deploying to production ($ ./deploy.sh production mywebsite).

Here’s a description from the Ansible Up & Running book:

We do need to tell ansible-playbook to prompt us for the password of the encrypted file, or it will simply error out. Do so by using the --ask-vault-pass argument

At the moment, I’m unencrypting locally, and then running the deploy shell script, which works fine. But would be good to know!

swalkinshaw · December 5, 2015, 4:17pm

You can just modify deploy.sh to add that option on. Or just use the raw ansible-playbook command that the deploy script uses.

We also have Vault integration coming soon: https://github.com/roots/trellis/pull/317

You can see that we solve that problem by using a .vault_pass file.

growdigital · December 5, 2015, 11:49pm

Yay, bingo! DEPLOY_CMD="ansible-playbook --ask-vault-pass -i… works a treat, thank you.

Will keep eyes peeled for Vault integration.