Consider an Ansible inventory file similar to the following example:
[san_diego]
host1
host2
[san_francisco]
host3
host4
[west_coast]
san_diego
san_francisco
[west_coast:vars]
db_server=foo.example.com
db_host=5432
db_password=top secret password
I would like to store some of the vars (like db_password) in an Ansible vault, but not the entire file.
How can a vault-encrypted ansible file be imported into an unencrypted inventory file?
I have created an encrypted vars file and tried importing it with:
include: secrets
To which ansible-playbook responded with:
ERROR: variables assigned to group must be in key=value form
Probably because it tried to parse the include statement as a variable.
If your issue is to have both unencrypted and encrypted vars files per group_hosts.
You can use this ansible feature : http://docs.ansible.com/ansible/playbooks_best_practices.html#best-practices-for-variables-and-vaults
group_vars/
san_diego/
vars.yml # unencrypted yaml file
vault.yml # encrypted yaml file
Ansible will read automatically vault.yml as encrypted yaml file.
Update : The solution below is also good solution (since Ansible 2.3)