Why could the encrypted Ansible files not be decrypted although the vault password file has been set?

Question

Follow-up to this Q&A.

According to this and this documentation it should be possible to define a default vault password file by specifying vault_password_file = ~/.vault_pass.txt in one of the following files:

* ANSIBLE_CONFIG (an environment variable)
* ansible.cfg (in the current directory)
* .ansible.cfg (in the home directory)
* /etc/ansible/ansible.cfg

Although the password file exists and the log indicates that the ansible.cfg is used that contains the definition, the decryption fails:

user@host$
Using /etc/ansible/ansible.cfg as config file
ERROR! Decryption failed on /path/to/ansible/group_vars/production/vault

Discussion

Is the pass correct for this vault?

Yes. When ansible is run using --vault-password-file=~/.vault_pass.txt the decryption succeeds.

Just so that we're clear - the name of the environment variable is ANSIBLE_VAULT_PASSWORD_FILE, correct?

No. When this variable is used it works, but the aim is to set it in the ansible.cfg by setting /etc/ansible/ansible.cfg.

What Ansible version is used?

user@host:/dir$ ansible --version
ansible 2.2.2.0
    config file = /etc/ansible/ansible.cfg
    configured module search path = Default w/o overrides

Does using a full path in the config works?

The decryption failes as well when the full path instead of ~, i.e. /home/user/.vault_pass.txt was specified.

score 2 · Answer 1 · answered Sep 19 '19 at 08:27

I found an issue with Ansible/Python causing a failure to decrypt.

Specifically, Ansible 2.7.10 and 2.7.13 under Python 3.6.8 on Ubuntu 18.04 would not decrypt (using ansible-vault edit -vvvvv) a vault file that was identical to file that decrypted OK on macOS 10.13 using Python 3.7.2 with same Ansible versions.

Upgrading to Python 3.7.3 on Ubuntu (using apt-get install python3.7 on 18.04) fixed this.

Your issue may be different, but if on Python 3.6 or lower, I would try upgrading to 3.7.

score 1 · Accepted Answer · answered Apr 14 '17 at 07:42

1

It is unclear why it failed, but setting vault_password_file = ~/.vault_pass.txt in /etc/ansible/ansible.cfg was sufficient.

answered Apr 14 '17 at 07:42

030

13,383
17
76
178

score -1 · Answer 3 · answered Apr 02 '17 at 15:39

According to the docs,

You can also set ANSIBLE_VAULT_PASSWORD_FILEenvironment variable, e.g. ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txtand Ansible will automatically search for the password in that file.

Ensures that you are using the exact same case.

Why could the encrypted Ansible files not be decrypted although the vault password file has been set?

3 Answers3