seperate openstack password from clouds.yaml in dynamic inventory

Question

I would like to use clouds.yaml format for configuring connection to my openstack cloud (as opposed to OS_ env vars).. but I want to be able to check my clouds.yaml file into version control. So, my password needs to come from somewhere else obviously.

I can successfully do this with other openstack modules by simply not including my password in clouds.yaml, and then I can inject the password in via the auth parameter, i.e.:

.....
  vars:
    os_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          6132613866613437333261......
  tasks: 
  - name: "Make heat stack {{state}}"
    openstack.cloud.stack:
      name: "{{stack_name}}"
      state: "{{state}}"
      template: "rke2-heat/{{stack_name}}.yaml"
      auth:
        password: "{{os_password}}"
......

My issue, however, is trying to run a subsequent playbook against the infrastructure using dynamic inventory. I have no idea how to do something like the auth parameter. If I include the password explicitly in clouds.yaml, things work. If I remove it, I get the below error, which I just can't figure out what to do with:

$ ansible-inventory -i openstack.yaml --graph                                                                   
[WARNING]: Couldn't list Openstack hosts. See logs for details
Invalid input for field 'identity/password/user/password': None is not of type 'string'

Failed validating 'type' in schema['properties']['identity']['properties']['password']['properties']['user']['properties']['password']:
    {'type': 'string'}

On instance['identity']['password']['user']['password']:
    None (HTTP 400) (Request-ID: req-02606d91-2c50-4bdb-934a-bcacc93e85dd)

openstack.yaml looks like this:

---
plugin: openstack.cloud.openstack
expand_hostvars: false
use_hostnames: true
fail_on_errors: true
all_projects: false

Ideal solution would be injecting the vault-encrypted password variable into this file.

Answer 1

Put the variable into the group_vars/all.yml. Try inventory group_vars/all first

shell> cat group_vars/all.yaml
---
os_password: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      6132613866613437333261......

If the plugin doesn't read by default group_vars configure use_extra_vars

shell> cat openstack.yaml
---
plugin: openstack.cloud.openstack
expand_hostvars: false
use_hostnames: true
fail_on_errors: true
all_projects: false
use_extra_vars: true

and put the file into the -e (--extra-vars) CLI option

shell> ansible-inventory -i openstack.yaml -e @group_vars/all.yaml --graph

This way, you can put the file wherever you want, of course

shell> ansible-inventory -i openstack.yaml -e @any_path/os_password.yaml --graph