Can you use keystore entries in task templates

[smitch35]

So my co worker and I are fairly new to ansible and ansible semaphore but we've have some things working and they work well. One thing we're trying to do is pass usernames and passwords to certain things when accessing them via ansible (for example vmware vcenter).

We know we could leave some creds in the playbook or reference a vault but we'd like to be able to store a username and password in the keystore and then use them in variables for tasks. Is this possible at all or not really intended purpose?

Thanks,

[ansibleguy]

Greetings @smitch35
As far as I have seen - the keystore can only be used to supply the credentials to run tasks and clone repositories.
Essentially what you want seems to be to pass extra-vars with secret values to Ansible so you can switch secrets on a per-execution basis, right?

Practical usage of some use-cases like these used a 'secrets.yml' either in the global 'vars' directory (placement in the same depth as your playbooks) or in a role-specific vars-file.
See the documentation for directory structure and search paths.

Example 'secrets.yml':

vmware_a:
  selector1: !vault |
    ...
  selector2: !vault |
    ...
  selector3: !vault |
    ...
# NOTE: 'selectorN' is just a generic placeholder

Example 'task':

- debug:
     var: vmware_a[run_selector]

Execution:

ansible-playbook play.yml --extra-vars run_selector=selector2 --ask-vault-pass

- AnsibleGuy

[smitch35]

Thanks for this information. I was just looking at it a bit wrong. So if I'm understanding this correctly. I need to locally access my system running semaphore to build out my vault and then reference those vault entries because they need to be outside of semaphore but I can put the vault password in semaphore to pass along to the script when running?

I assume I could also make a vault and include it in my repo but I'm still learning some aspects of maintaining a repo etc.

Thanks for the answer!

[ansibleguy]

Exactly.
You can add 'ansible-vault' variables in your repository scope or include var-files from anywhere else in the filesystem using 'vars_files' (inside playbook) or 'include_vars' (inside tasks/roles)