Ansible-lint unable to decrypt vaulted files when ansible-playbook can

I have a bunch of inventory variables files which have been encrypted with ansible-vault. In ansible.cfg I’ve got

[defaults]
vault_password_file = ./vault-pass.sh

That script outputs the vault password when it is run (without need any user input), and this works great with ansible-playbook.

When I run ansible-lint to check my playbooks and roles, I get warnings like this:

WARNING  Ignored exception from JinjaRule.matchyaml while processing inventory/host_vars/balrog24/wireguard.yml (vars): Decryption failed (no vault secrets were found that could decrypt).
WARNING  Ignored exception from VariableNamingRule.matchyaml while processing inventory/host_vars/balrog24/wireguard.yml (vars): Decryption failed (no vault secrets were found that could decrypt).

There are two warnings for each file, but no other warnings or errors from ansible-lint. For some reason it (and presumably ansible-playbook --syntax-check underneath it) are unable to obtain the vault password from the existing configuration.

Hi Kevin,

Where do you keep the ansible.cfg file and how do you run ansible-lint?

ansible.cfg is in the current directory, here are the contents:

[defaults]
vault_password_file = ./vault-pass.sh
inventory = inventory
localhost_warning = false
roles_path = roles
gathering = smart
fact_caching = jsonfile
fact_caching_connection = factcache
fact_caching_timeout = 2592000
allow_world_readable_tmpfiles = true
collections_path = collections
forks = 30
timeout = 60

[inventory]
enable_plugins = yaml, constructed

[ssh_connection]
ssh_args = -o ControlMaster=auto -o ControlPersist=180m
pipelining = true

I normally run ansible-lint using pre-commit, but while testing this was running it manually like this:

ansible-lint --fix=none --strict --profile=production

Does ansible-lint run correctly if you run it manually with the working directory being the one that has ansible.cfg in it?

At least ansible-playbook looks for the ansible.cfg in the directory it is being run from. I’m not sure about the ansible-lint and if that applies to ansible-playbook --syntax-check it runs in the background.

Try determining what is the working directory of the pre-commit. You can also try explicitly setting ANSIBLE_CONFIG env. variable to point to your ansible.cfg.

Both the pre-commit and manual runs of ansible-lint happen in the directory where ansible.cfg is located. Prefixing the ansible-lint command with ANSIBLE_CONFIG=/path/to/ansible.cfg did not eliminate the warnings, nor did changing the vault_password_file entry in ansible.cfg to an absolute path instead of a relative path.

Since the vault-pass.sh script obtains the password from an environment variable, I tried hardcoding the password into that file in case the environment wasn’t being properly passed down, but that still didn’t fix it.

I’ve now tried putting the password itself directly into a file (no script), and changing vault_password_file to point to that: ansible-playbook is happy with that, but ansible-lint is not.

I’ve also tried setting ANSIBLE_VAULT_PASSWORD_FILE, same result, ansible-playbook works but ansible-lint does not.

For what it’s worth, here is the version information for what I am using:

kpfleming@balrog24:~/git-personal/km6g/ansible$ ansible --version
ansible [core 2.21.1]
  config file = /home/kpfleming/git-personal/km6g/ansible/ansible.cfg
  configured module search path = ['/home/kpfleming/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/kpfleming/.local/pipx/venvs/ansible-core/lib/python3.14/site-packages/ansible
  ansible collection location = /home/kpfleming/git-personal/km6g/ansible/collections
  executable location = /home/kpfleming/.local/bin/ansible
  python version = 3.14.6 (main, Jun 11 2026, 04:03:48) [Clang 22.1.3 ] (/home/kpfleming/.local/pipx/venvs/ansible-core/bin/python)
  jinja version = 3.1.6
  pyyaml version = 6.0.3 (with libyaml v0.2.5)

kpfleming@balrog24:~/git-personal/km6g/ansible$ ansible-lint --version
ansible-lint 26.6.0 using ansible-core:2.21.1 ansible-compat:26.6.0 ruamel-yaml:0.19.1 ruamel-yaml-clib:None

Then it seems that you have hit some limitation in ansible-lint. Either wait for someone involved in ansible-lint development to give you some insight or, better yet, open an issue on GitHub.

For those who find this discussion:

It was already reported in the GitHub repository as Ansibe-lint does not initially set vault secrets like Ansible does · Issue #2889 · ansible/ansible-lint · GitHub.

There is a PR open which claims to resolve as well at feat: honor ANSIBLE_VAULT_PASSWORD_FILE for vault decryption by JohnLahr · Pull Request #5019 · ansible/ansible-lint · GitHub.