Ansible Vault GPG encrypted


I know it’s possible to pass an Ansbile Vault file to Packer using ansible_env_vars:, but what if this file is GPG encrypted?
Does Packer support something here?



It probably depends on how it’s encrypted. Is the fault file itself encrypted again with GPG, or the password file for accessing the vault, or what?

If it’s the password file, there’s a blog post here that suggests you can do it using the vault_password_file option and providing an executable that unencrypts the password and sends it to ansible:

I haven’t checked to see if that could work in the extra-vars section, but if it doesn’t you can add it to your ansible config.

Another option is to create a wrapping script for ansible that performs the decryption;
docs for the template option for providing a wrapper can be found

and an example here: