Including vault-encrypted variables in a task

Question

I just recently started to use Ansible, and am trying to deploy a configuration file that contains a secret key and email (for credentials to use with an API). I encrypted them with ansible-vault encrypt_string ..., and added them to playbook:

- name: generate dehydrated dns-hook config file
  template:
    src: etc/dehydrated/dns-hook.sh.j2
    dest: /etc/dehydrated/dns-hook.sh.j2
  vars:
    token: !vault |
              $ANSIBLE_VAULT;1.2;AES256;dns-hook
              66326635666264386238316238373135626233393437633937626534623931636365336231363462
              6131333637663337363162653561393962626661313762300a383633303136633564346366383935
              65333265306162386564363937636531346265633635656536646533393961343935313161643262
              6132336430373235380a313364323438393765613131356535373862306337306434653237316566
              34333965356663626231626533656661663364313737663036343161663638373836366235643730
              3965323463643231666361356330343663653536306634646438
    email: !vault |
              $ANSIBLE_VAULT;1.2;AES256;dns-hook
              64336666396139636636386536373531343133303964646631346135633033356162626562333561
              3338336534333236613330336532353861393265613766380a376632616665366463313237656166
              30633135303431336138303535343962663965363536616139393631626534353432313466633064
              3466363063666663360a343233376333643931323738356435643930623765306537313437356638
              3332396164356236663133613432313063373130653632323432643230646237366

However, whenever I run the playbook, I get the following error:

TASK [generate dehydrated dns-hook config file] *****************************************************
[WARNING]: There was a vault format error: Vault format unhexlify error: Odd-length string

fatal: [sherlock.server.com]: FAILED! => {"changed": false, "msg": "AnsibleVaultFormatError: Vault format unhexlify error: Odd-length string"}

The only thing I can find about this error is that I might have newlines that end in \r\n instead of just \n, but I've verified that is not the case. Everything else I've seen online seems to imply that this format should work, but I'm unable to get it to run successfully.

Vladimir Botka · Accepted Answer · 2023-01-26T12:43:31.177

Robuster and more practical solution is an encrypted file. For example,

shell> cat vault1.yml
my_email: admin@example.com
my_tag: tag123

shell> ansible-vault encrypt vault1.yml
Encryption successful

shell> cat vault1.yml
$ANSIBLE_VAULT;1.1;AES256
33376431383930313965356364356136306338383238303032363165633962636366663939373237
3433383262306631643431346236653534316331643466660a326562663633346662656233353733
63373561636432653535666437656537326635363935366261666237353136313939323535336665
3333666466656664610a633430313138393238653065623231393165383162656262646139353730
63653231363465643237666465613631646539366262656537323932346530386364353132326234
3230623232393630396361333462343862323231323733376665

Then the encrypted file can be used in various places. For example,

shell> cat playbook.yml
- hosts: localhost
  tasks:
    - include_vars: vault1.yml
    - debug:
        msg: "email: {{ my_email }} tag: {{ my_tag }}"

gives

    "msg": "email: admin@example.com tag: tag123"

Including vault-encrypted variables in a task

It's possible to limit the scope of the variables to a task. This limits the exposure of the sensitive variables and makes the solution safer. For example, the task below gives the same result.

    - debug:
        msg: "email: {{ my_vault.my_email }} tag: {{ my_vault.my_tag }}"
      vars:
        my_vault: "{{ lookup('file', 'vault1.yml')|from_yaml }}"

score 1 · Answer 2 · answered Jun 19 '22 at 12:40

Just ran into the same problem myself. Turns out, the error message is dead on: I made a copy-paste error.

And sure enough, in the OP's case, the variable email has an odd number of chars. I think this gets across better when piped through xxd:

$ cat > odd.txt
64336666396139636636386536373531343133303964646631346135633033356162626562333561
3338336534333236613330336532353861393265613766380a376632616665366463313237656166
30633135303431336138303535343962663965363536616139393631626534353432313466633064
3466363063666663360a343233376333643931323738356435643930623765306537313437356638
3332396164356236663133613432313063373130653632323432643230646237366
$
$ xxd odd.txt | tail -3
00000160: 3331 3330 3633 3337 3331 3330 3635 3336  3130633731306536
00000170: 3332 3332 3334 3332 3634 3332 3330 3634  3232343264323064
00000180: 3632 3337 3336 360a                      6237366.

Including vault-encrypted variables in a task

2 Answers2