How to use existing Vault files in Ansible Tower?

So it looks like this was more of an implementation issue. According to RedHat, it is not recommended to keep the vault files with the inventory - as this would mean it decrypts the file every time the inventory sync runs.

The way I've solved this now is by using "vars_files" in the playbook. It looks like this:

  # Secrets
  vars_files:
    - '../../secrets/{{ tower_env }}/vault.yml'

In Tower, I pass in the tower_env variable e.g. "dev" or "qa", which then decrypts the corresponding vault file when a playbook runs - rather then when syncing inventories.

There are 2 things you are trying to do that aren't (at least of this moment) supported:

• decrypting your secrets at the time of inventory import
• using ansible-vault to encrypt the entire file, as opposed to variables

The terminology here is a little poor, but see in these docs the section "Single Encrypted Variable", I sometimes call these in-line variables.

https://docs.ansible.com/ansible/latest/user_guide/playbooks_vault.html

Ansible now supports moving these in-line variables through the inventory parsing process. This format is also no less safe, it's the same algorithm under the hood. The name of the encrypted variables will be exposed to people with access to your source control (which is probably reasonable), but your value will be encrypted.

Now store values with that syntax in .yml variable files under group_vars/ or host_vars/ folders. You should find that the inventory sync inside of Tower is successful (without using any vault credential), and when you navigate to the group or host, you see the encrypted form of the variable.

When you run a playbook (job template in Tower), then attach a vault credential at that time. This delays encryption until the runtime context when it is actually needed.

Example inventory file structure:

https://github.com/AlanCoding/Ansible-inventory-file-examples/tree/master/vault/single_var_file

Also, as the other comment points out, you can put either whole-file encrypted or in-line encrypted variables in that folder structure in source control where your playbook is, and that will be picked up by Ansible and decrypted by vault credentials you attach to the job template.