ansible-plabook keeps saying ansible-vault variables are undefined!!

Hello everyone!

I’m working on a project for a company I am working for.

Whenever I use ansible-playbook with three variable files, two files are encrypted with ansible-vault and each file has one variable. The variables for each file are the_vault_test, the_vault_test2 and the_test.

Here is the file/directory structure and the output of ansible-playbook:

CAPSULE-V-001-MM037:test chris$ tree
.
├── 003_vault_secrets_test.enc
├── ansible.cfg
├── group_vars
│ └── all
│ ├── 002_vault_secrets_test.enc
│ ├── 003_vault_secrets_test.enc
│ └── vars.yml
├── inventory
└── test_vault.yml

3 directories, 7 files

CAPSULE-V-001-MM037:test chris$ ansible-playbook --inventory inventory --private-key ~/.ssh/staging_ansible_id_ed25519 --user staging_ansible test_vault.yml --vault-password ~/.secrets/ansible_vault_password.txt --extra-vars group_vars/all/002_vault_secrets_test.enc --extra-vars 003_vault_secrets_test.enc

PLAY [My First Play] ***************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************************************************************************************************************
ok: [capsule-v-001-mm037]
ok: [capsule-v-001-mm038]

TASK [debug vault_the_test] ********************************************************************************************************************************************************************************************************************
ok: [capsule-v-001-mm037] => {
“vault_the_test”: “VARIABLE IS NOT DEFINED!”
}
ok: [capsule-v-001-mm038] => {
“vault_the_test”: “VARIABLE IS NOT DEFINED!”
}

TASK [debug vault_the_test] ********************************************************************************************************************************************************************************************************************
ok: [capsule-v-001-mm037] => {
“vault_the_test2”: “VARIABLE IS NOT DEFINED!”
}
ok: [capsule-v-001-mm038] => {
“vault_the_test2”: “VARIABLE IS NOT DEFINED!”
}

TASK [debug the_test] **************************************************************************************************************************************************************************************************************************
ok: [capsule-v-001-mm037] => {
“the_test”: “Will this work?”
}
ok: [capsule-v-001-mm038] => {
“the_test”: “Will this work?”
}

PLAY RECAP *************************************************************************************************************************************************************************************************************************************
capsule-v-001-mm037 : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
capsule-v-001-mm038 : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

CAPSULE-V-001-MM037:test chris$ ansible-playbook --version
ansible-playbook [core 2.18.7]
config file = /Users/chris/Projects/checkouts/test/ansible.cfg
configured module search path = [‘/Users/chris/.ansible/plugins/modules’, ‘/usr/share/ansible/plugins/modules’]
ansible python module location = /opt/homebrew/Cellar/ansible/11.8.0/libexec/lib/python3.13/site-packages/ansible
ansible collection location = /Users/chris/.ansible/collections:/usr/share/ansible/collections
executable location = /opt/homebrew/bin/ansible-playbook
python version = 3.13.6 (main, Aug 6 2025, 13:05:20) [Clang 17.0.0 (clang-1700.0.13.3)] (/opt/homebrew/Cellar/ansible/11.8.0/libexec/bin/python)
jinja version = 3.1.6
libyaml = True
CAPSULE-V-001-MM037:test chris$ uname
Darwin
CAPSULE-V-001-MM037:test chris$ uname -a
Darwin CAPSULE-V-001-MM037.local 24.4.0 Darwin Kernel Version 24.4.0: Wed Mar 19 21:11:02 PDT 2025; root:xnu-11417.101.15~1/RELEASE_ARM64_T8132 arm64
CAPSULE-V-001-MM037:test chris$ sw
sw_vers swcutil swift swift-inspect swiftc
CAPSULE-V-001-MM037:test chris$ sw_vers
ProductName: macOS
ProductVersion: 15.4
BuildVersion: 24E248
CAPSULE-V-001-MM037:test chris$ brew --version
Homebrew >=4.3.0 (shallow or no git repository)

It use to work and now it doesn’t! I made a simple test outside of git! I even asked a friend that works at Red Hat and works with Ansible everyday!

Please help!

Maybe the problem is the .enc file extension? I think the default vars plugin only looks for .yml/.yaml/.json files, so it will ignore .enc files.

I did that! I did .yml and no file extension and it would give an error about encryption!

It’s not file extensions that is the issue.

The extensions are also configurable, so 2 ways to fix this valid_extensions

There are a couple of things going on here. You said

But the job log you posted says the variables vault_the_test and vault_the_test2 are not defined. That’s true: ‘vault_the_test' != 'the_vault_test'.

I set up files with the same names and same contents (as a best guess, since you didn’t show their exact contents), but without any vaulting. I wanted to see whether the issue has anything to do with vaulting or if it’s just “plain ol’ Ansible” issues. It’s the latter.

After I changed the variable names in my ansible.builtin.debug tasks to match those in the files, I got the same results you did.

Then I changed the extension on group_vars/all/003_vault_secrets_test.enc to .yml and re-ran the playbook. That change made the variable in that file work in the playbook.

Finally, when you use --extra-vars to specify a file, you must prefix the file path/name with a @. So in my case, that becomes:

ansible-playbook ./test_vault.yml -v --inventory ./inventory --extra-vars @group_vars/all/002_vault_secrets_test.enc --extra-vars @003_vault_secrets_test.enc

Only then do all the variables become defined from the playbook’s perspective.

Don’t use the same file as a group_var/host_var in extra vars or other methods, you are creating the variable x2 and masking it with itself and changing the precedence.

I downgraded to Ansible version:

ansible [core 2.17.12]

Also, I wanted ahead and renamed the vault var files to be .vault and I used in ansible.cfg:

yaml_valid_extensions = .yml, .yaml, .json

I even added the same variable the_vault_test in vars.yml and it did override with a different value but it’s still not working with the vault files. It still says:

CAPSULE-V-001-MM037:test chris$ ansible-playbook --inventory inventory test_vault.yml --private-key ~/.ssh/staging_ansible_id_ed25519 --user staging_ansible --vault-password-file ~/.secrets/ansible_vault_password.txt

PLAY [My First Play] ***************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************************************************************************************************************
ok: [capsule-v-001-mm037]
ok: [capsule-v-001-mm038]

TASK [debug vault_the_test] ********************************************************************************************************************************************************************************************************************
ok: [capsule-v-001-mm037] => {
“vault_the_test”: “Will this work form an non-vault file?”
}
ok: [capsule-v-001-mm038] => {
“vault_the_test”: “Will this work form an non-vault file?”
}

TASK [debug vault_the_test] ********************************************************************************************************************************************************************************************************************
ok: [capsule-v-001-mm037] => {
“vault_the_test2”: “VARIABLE IS NOT DEFINED!”
}
ok: [capsule-v-001-mm038] => {
“vault_the_test2”: “VARIABLE IS NOT DEFINED!”
}

TASK [debug the_test] **************************************************************************************************************************************************************************************************************************
ok: [capsule-v-001-mm037] => {
“the_test”: “Will this work?”
}
ok: [capsule-v-001-mm038] => {
“the_test”: “Will this work?”
}

PLAY RECAP *************************************************************************************************************************************************************************************************************************************
capsule-v-001-mm037 : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
capsule-v-001-mm038 : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

I don’t think it’s the file extensions!

Finally, ansible-config showed the file extensions were already defined by the default install:

CAPSULE-V-001-MM037:test chris$ ansible-config dump | grep -i json
STRING_TYPE_FILTERS(default) = ['string', 'to_json', 'to_nice_json', 'to_yaml', 'to_nice_yaml', 'ppretty', 'json']
YAML_FILENAME_EXTENSIONS(default) = ['.yml', '.yaml', '.json']

By the way I just upgraded ansible and same results:

CAPSULE-V-001-MM037:test chris$ ansible-playbook --version
ansible-playbook [core 2.18.8]
config file = /Users/chris/Projects/checkouts/test/ansible.cfg
configured module search path = [‘/Users/chris/.ansible/plugins/modules’, ‘/usr/share/ansible/plugins/modules’]
ansible python module location = /opt/homebrew/Cellar/ansible/11.9.0/libexec/lib/python3.13/site-packages/ansible
ansible collection location = /Users/chris/.ansible/collections:/usr/share/ansible/collections
executable location = /opt/homebrew/bin/ansible-playbook
python version = 3.13.6 (main, Aug 6 2025, 13:05:20) [Clang 17.0.0 (clang-1700.0.13.3)] (/opt/homebrew/Cellar/ansible/11.9.0/libexec/bin/python)
jinja version = 3.1.6
libyaml = True

My point with the configuration was that you could add .enc files, not that you needed to configure it for the common json/yaml extensions.

I suspect your issue is a data one, but without a full reproducer I don’t know what the exact problem is.

Also, I wanted ahead and renamed the vault var files to be .vault and I used in ansible.cfg:
yaml_valid_extensions = .yml, .yaml, .json

That wouldn’t work for the same reason as .enc. .vault isn’t in the default list of valid extensions.

1. Use no extension or one of the configured extensions.
2. Ensure the files in group_vars match the names of groups in your inventory. The hosts named capsule-v-001-mm037 and capsule-v-001-mm038 should be in the groups 002_vault_secrets_test and 003_vault_secrets_test if those hosts should load those group_vars files.
3. Decrypt your vars and check the variable name matches the one the playbook is using. As pointed out above, you have a typo.

I don’t think it’s the file extensions!

The non-standard extension is one issue, but there could be multiple.

Actually, those files are under group_vars/all/ so the variables within will be available to all play hosts.

However, your first point, “Use no extension or one of the configured extensions” is spot on, as I showed in my post #5 above: “Then I changed the extension on group_vars/all/003_vault_secrets_test.enc to .yml and re-ran the playbook. That change made the variable in that file work in the playbook.”

I installed ansible via python virtualenv and I can’’t change it to .yml or blank for a file extension. I get the error:

ERROR! Decryption failed (no vault secrets were found that could decrypt) on /opt/ChrisWasHere/test/group_vars/all/002_vault_secrets_test

Even changing it from a Homebrew install to a pip install still gives me the same issue of variable not defined! Can someone please help me debug this? It’s not file extensions!

That’s a different error, one you’ve not told us about before. That error indicates it is reading the file, it sees the content is encrypted, and it doesn’t have any vault secret that can decrypt it.

You were passing --vault-password-file ~/.secrets/ansible_vault_password.txt before. Can you use that secrets file to decrypt group_vars/all/002_vault_secrets_test by use of the ansible-vault command on the command line? If not, well, there you go. If you can decrypt the file with that secret, then the problem has something to do with how you are presenting that secret to ansible-playbook.

Also, you’ve marked this thread as answered. You may want to remove that until this is fully resolved.