I have an executable python file that produces an inventory.
Can I access the vault password passed on the command line from the script, or is the script run in isolation from everything else?
Did you find answer to your question? I am looking for the same solution.
No, inventory scripts cannot use vault features, they are an 'external
script' Ansible runs.
Inventory plugins can by default, they will automatically unvault
their inventory source file, since these are plugins that run
internally in Ansible.
I have a question. I prompt for the vault password with “vars_prompt”. I then pass this variable to every role I use so I can use it to encrypt/decrypt. When I do:
- name: Test a static file decrypt
delegate_to: localhost
copy:
content: “{{ lookup(‘ansible.builtin.file’, ‘/home/ansible//test.txt’) | ansible.builtin.unvault(vault_passwd) }}”
dest: “/home/ansible/test.txt”
I get the following error:
“Attempting to decrypt but no vault secrets found”
I tried adding “decrypt: no” to the copy module, as I figured that the copy module tried to decrypt the file even though that should already been done via ansible.builtin.unvault, but it changes nothing.
Still get the same error. I tested that the vault_password variable does indeed carry the password.
The 'file' lookup has a builtin unvault function, which is what is
failing, before you get to the unvault filter. A workaround is using
the `pipe` lookup to `cat` the file.
We really should add one of 2 switches 1 to avoid decrypting (like
copy has) or just return the encrypted content when ignoring errors.