cancel
Showing results for 
Search instead for 
Did you mean: 
TPeters
Flight Engineer
Flight Engineer
  • 748 Views

Secrets in variables?

Jump to solution

I'm now at Chapter 7, the first part discusses the default and role variables in a role.

It is written that role variables (in vars/main.yml) can not be overridden.

But for secrets it writes:

 "Roles should not have site specific data in them or contain any secrets like passwords or private keys because roles are supposed to be generic, reusable, and freely shareable. Therefore, site specific details should not be hard coded into them.

Secrets should be provided to the role through other means. This requirement is one reason that you might want to set role variables when calling a role. Role variables set in the play could provide the secret, or point to an Ansible Vault encrypted file containing the secret."

So it writes to use role variables for secrets and set them in a play. But role variables are supposed to not be overridden: if you want to have a variable that is to be overriden you should use default variables.

So I am confused.

 

 

Labels (2)
1 Solution

Accepted Solutions
pjentw
Mission Specialist
Mission Specialist
  • 742 Views

Referencing the variable precedence:

Here is the order of precedence from least to greatest (the last listed variables override all other variables):

  1. command line values (for example, -u my_user, these are not variables)

  2. role defaults (defined in role/defaults/main.yml) 1

  3. inventory file or script group vars 2

  4. inventory group_vars/all 3

  5. playbook group_vars/all 3

  6. inventory group_vars/* 3

  7. playbook group_vars/* 3

  8. inventory file or script host vars 2

  9. inventory host_vars/* 3

  10. playbook host_vars/* 3

  11. host facts / cached set_facts 4

  12. play vars

  13. play vars_prompt

  14. play vars_files

  15. role vars (defined in role/vars/main.yml)

  16. block vars (only for tasks in block)

  17. task vars (only for the task)

  18. include_vars

  19. set_facts / registered vars

  20. role (and include_role) params

  21. include params

  22. extra vars (for example, -e "user=my_user")(always win precedence)

https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-...

Shows that role variables (15) can be overridden but as the chapter states: "not by inventory variables" (such as 3,4,6,8,9), this is because they have a lower precedence and role variables are expected to be used for internal functioning of the role.

So to clarify all variable types/locations post 15 in the list can override the role variables kept in role/vars/main.yml

View solution in original post

1 Reply
pjentw
Mission Specialist
Mission Specialist
  • 743 Views

Referencing the variable precedence:

Here is the order of precedence from least to greatest (the last listed variables override all other variables):

  1. command line values (for example, -u my_user, these are not variables)

  2. role defaults (defined in role/defaults/main.yml) 1

  3. inventory file or script group vars 2

  4. inventory group_vars/all 3

  5. playbook group_vars/all 3

  6. inventory group_vars/* 3

  7. playbook group_vars/* 3

  8. inventory file or script host vars 2

  9. inventory host_vars/* 3

  10. playbook host_vars/* 3

  11. host facts / cached set_facts 4

  12. play vars

  13. play vars_prompt

  14. play vars_files

  15. role vars (defined in role/vars/main.yml)

  16. block vars (only for tasks in block)

  17. task vars (only for the task)

  18. include_vars

  19. set_facts / registered vars

  20. role (and include_role) params

  21. include params

  22. extra vars (for example, -e "user=my_user")(always win precedence)

https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-...

Shows that role variables (15) can be overridden but as the chapter states: "not by inventory variables" (such as 3,4,6,8,9), this is because they have a lower precedence and role variables are expected to be used for internal functioning of the role.

So to clarify all variable types/locations post 15 in the list can override the role variables kept in role/vars/main.yml

Join the discussion
You must log in to join this conversation.