I am trying to use ansible-vault to secure a single Windows login password. I do not want to place hte password as plain text in my windows.yml file (see below) and so I am trying to use ansible-vault to secure/encrypt this password.

I have this directory structure:

myansiblehome
- windows_manage
  - group_vars
    - windows.yml
    - vault
  - hosts
  - win_playbook.yml

My question is about the file vault. I am trying to place a Windows login password here as an encrypted variable, as per this tutorial. The variable name is ansible_password and the idea is that I should have a hash in the vault file and not the actual password in text.

My windows.yml file looks like this (following the guidance here):

ansible_user: administrator
ansible_password: "{{ vault_ansible_password }}"
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore

Now, to create the vault file, here are my steps:

cd windows_manage
ansible-vault create group_vars/vault

Then here are all the contents that I place into the vault file:

---
vault_ansible_password: mypassword

When I run this file with ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass, I get this error (problem A):

The field 'password' has an invalid value, which includes an
undefined variable. The error was: 'vault_ansible_password' is 
undefined\nexception type: <...>\nexception: 'vault_ansible_password' is 
undefined.

So, I tried to generate a hash instead of using text. I did this:

mkpasswd --method=SHA-512
# copy the resulting hash to the clipboard
ansible-vault create group_vars/vault

I replaced the text mypassword by this hash. I pasted the hash in the vi editor and saved the vault file. Again, I ran the playbook with ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass. This time I got a different error (problem B):

fatal: [...]: UNREACHABLE! => ..."ssl: the specified
credentials were rejected by the server", "unreachable": true}

To overcome this, I have to do 2 things:

1. To resolve problem A.: in win_playbook.yml, I need to add vars_files: group_vars\vault, somewhat similar to this StackOverflow post.
2. To resolve problem B.: I have to replace the hash in vault with the actual password in text (mypassword).

Questions:

1. Regarding A: In the tutorials I have come across for ansible vault, I do not see a particular reason why vars_file: group_vars\vars should be present in the main playbook file (see links 1-4 below).i.e. there is no mention of this anywhere. I thought Ansible would auto-detect the variables in the group_vars directory??? Is there a reason why this line is required?

   1. https://serversforhackers.com/c/ansible-using-vault
   2. https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data-on-ubuntu-16-04
      • these guys use group_vars/vars (unencrypted variable file similar to my group_vars/vars) and group_vars/vault (encrypted variable file similar to my group_vars/vault) but they are using a role while I am not using an Ansible role
   3. https://knpuniversity.com/screencast/ansible/variable-vault
   4. https://opensource.com/article/16/12/devops-security-ansible-vault

2. Regarding B: It looks like other users (see here are using hashes as their variables). Actually, even the Ansible docs suggest to use mkpasswd to generate passwords. Maybe I am misunderstanding something. Should we not use mkpasswd --method=SHA-512 to hash the password and then place the hash as the variable value? Is it not possible to use a hash as the value in key:value in the vault file?