Ansible suddenly fails to read vault passwords

G’day all,

New to the group, glad to be here. To not waste too much of anyone’s time, I will get straight to it.

When I run some Ansible Playbooks, I now suddenly get this error message:

[The below changed for reasons of internal security]

fatal: [MAS-01]: FAILED! => {“ansible_facts”: {}, “ansible-included-files”: , “changed”: false, “message”: “Attempting to decrypt but no vault secrets found”}

I haven’t changed anything anywhere, all I do is a “git pull” every Monday or so. When I use “ansible-vault” to read my vault secrets file locally, the content is decrypted and displayed just fine.

Why has this suddenly started happening? I tried re-cloning my Ansible dir, no luck.

Thx.

J.

It’s worth noting, others don’t get hit like that when they run the same playbook on my behalf. Why the difference for me?

Hey,

how do you enter the vault password? Has this changed somehow? Are you sure you are passing the right vault password? You seem to do when you use ansible-vault but did you do the same for calling ansible normally?

I know trhese questions seem to be like very simple, but i often enough had errors there mysqlf, which where only to blame myself; so I asking these with founded reasons :wink:

Cheers

Lars

Are you making sure that you’re using the same ansible.cfg with the value for “vault_password_file” set correctly each time you run the playbook? Since it says “no vault secrets found”, it sounds like it could not be reading that value in from the config file. And just running the playbook from a different directory could cause it not to use the correct ansible.cfg.

Or are you specifying the filename containing the password using the --vault-password-file command-line option instead of using ansible.cfg?

@ej Yes, “–vault-password-file” is being used. I’m not manually supplying/managing Vault passwords and the playbook is being run from the same dir as always.

@Lars Absolutely nothing has been changed by conscious action from my side. I just suddenly got hit by this after having used the same Playbook (the exact same command) 200+ times. I use “–vault-password-file” in the run-command.

In extension: this command:

[changed for reasons of obscurity]

ap --vault-password-file=.vault.pw -t ktb -l MAS-01

Is being run while standing my Ansible source dir where the .vault.pw file is also placed, so why does the reading of that file fail, when it can be decrypted and read just fine using the “ansible-vault…” command?

And thx the for the replies BTW. This is a bit of a head-scratcher, because it should “just work” as I see it.