How to pass ansible vault password as an extra var?

Question

I have the ability to encrypt variables using another mechanism(Azure pipeline secret feature), so I would like to save an ansible-vault password there(in Azure pipeline) and pass it to playbook execution as an extra var.

May I know if it can be done so?

An example of what/how I'm expecting is

ansible-playbook --extra-vars "vault-password=${pipelinevariable}"

Answer 1

Vault password cannot be passed as an extra var. There are several ways to provide it which are all covered in the documentation:

• Providing vault password section in the general vault documentation.
• Using vault in playbooks

Very basically your options are:

• providing it interactively passing the --ask-vault-pass option
• reading it from a file (static or executable) by either:
  1. providing the --vault-password-file /path/to/vault option on the command line
  2. setting the ANSIBLE_VAULT_PASSWORD_FILE environment variable (e.g. export ANSIBLE_VAULT_PASSWORD_FILE=/path/to/vault).

There is much more to learn in the above doc, especially how to use several vault passwords with ids, how to use a client script to retrieve the password from a key store...