Inventory & Vault
Define which hosts Ansible manages and protect secrets with Ansible Vault.
The inventory tells Ansible which hosts to manage and how to group them. It can be a static file (INI/YAML) or dynamic (a script/plugin that queries a cloud for current hosts). Group hosts so plays target the right set, and attach group_vars / host_vars for per-group/host configuration.
Secrets (passwords, API keys) needed by playbooks must not sit in plaintext. Ansible Vault encrypts variable files or single values with a password, so they can live safely in git and are decrypted at runtime.
# inventory.yml
all:
children:
web:
hosts:
web1.example.com:
web2.example.com:
vars:
http_port: 443# Encrypt a secrets file
ansible-vault encrypt group_vars/web/secrets.yml
# Run a playbook, supplying the vault password
ansible-playbook site.yml --ask-vault-pass- Write a YAML inventory with a group and a group variable.
- Explain the difference between static and dynamic inventory.
- Encrypt a secrets file with Ansible Vault (in words) and run a playbook with it.
- Describe when group_vars vs host_vars is appropriate.
Cheat Sheet▾
| Concept | Detail |
|---|---|
| Static inventory | INI/YAML host list |
| Dynamic inventory | Cloud-discovered hosts |
| Groups | Target subsets of hosts |
| group_vars / host_vars | Per-group/host config |
| Vault encrypt | ansible-vault encrypt file |
| Run with vault | --ask-vault-pass |
Common Interview Questions▾
What is the difference between static and dynamic inventory?
Static inventory is a hand-maintained list of hosts; dynamic inventory queries a source (like a cloud API) at runtime to discover current hosts — essential when instances change frequently.
How does Ansible Vault protect secrets?
It encrypts variable files or individual values with a password, so secrets can be committed to version control safely and are decrypted only at playbook runtime.