I have a bunch of inventory variables files which have been encrypted with ansible-vault. In ansible.cfg I’ve got
[defaults]
vault_password_file = ./vault-pass.sh
That script outputs the vault password when it is run (without need any user input), and this works great with ansible-playbook.
When I run ansible-lint to check my playbooks and roles, I get warnings like this:
WARNING Ignored exception from JinjaRule.matchyaml while processing inventory/host_vars/balrog24/wireguard.yml (vars): Decryption failed (no vault secrets were found that could decrypt).
WARNING Ignored exception from VariableNamingRule.matchyaml while processing inventory/host_vars/balrog24/wireguard.yml (vars): Decryption failed (no vault secrets were found that could decrypt).
There are two warnings for each file, but no other warnings or errors from ansible-lint. For some reason it (and presumably ansible-playbook --syntax-check underneath it) are unable to obtain the vault password from the existing configuration.
Does ansible-lint run correctly if you run it manually with the working directory being the one that has ansible.cfg in it?
At least ansible-playbook looks for the ansible.cfg in the directory it is being run from. I’m not sure about the ansible-lint and if that applies to ansible-playbook --syntax-check it runs in the background.
Try determining what is the working directory of the pre-commit. You can also try explicitly setting ANSIBLE_CONFIG env. variable to point to your ansible.cfg.
Both the pre-commit and manual runs of ansible-lint happen in the directory where ansible.cfg is located. Prefixing the ansible-lint command with ANSIBLE_CONFIG=/path/to/ansible.cfg did not eliminate the warnings, nor did changing the vault_password_file entry in ansible.cfg to an absolute path instead of a relative path.
Since the vault-pass.sh script obtains the password from an environment variable, I tried hardcoding the password into that file in case the environment wasn’t being properly passed down, but that still didn’t fix it.
I’ve now tried putting the password itself directly into a file (no script), and changing vault_password_file to point to that: ansible-playbook is happy with that, but ansible-lint is not.
I’ve also tried setting ANSIBLE_VAULT_PASSWORD_FILE, same result, ansible-playbook works but ansible-lint does not.
For what it’s worth, here is the version information for what I am using:
Then it seems that you have hit some limitation in ansible-lint. Either wait for someone involved in ansible-lint development to give you some insight or, better yet, open an issue on GitHub.