ansible-vault edit changes sha1 of file even when edits are not saved

I want to view a file that has been encrypted with ansible-vault, but I don’t want to make any changes. The ansible-vault command doesn’t have an option to just cat the decrypted file. Here are the options available:

➜ defaults git:(master) ✗ ansible-vault --help
Usage: ansible-vault [create|decrypt|edit|encrypt|rekey] [–help] [options] file_name

Options:
-h, --help show this help message and exit

See ‘ansible-vault --help’ for more information on a specific command.

So I’ve been using ansible-vault edit command to view the file and then quit the editor without saving when done viewing the contents. Surprisingly, even though I quit out of the editor without saving, it changes the file anyway. Why is this? When I do a git status I see the file is modified and the SHA1 has been changed. See below for an example where no changes were saved:

➜ defaults git:(master) openssl sha1 main.yml

SHA1(main.yml)= 63acb6f65ae7d1ad34e047e80acd8857ebab5692

➜ defaults git:(master) ansible-vault edit main.yml

Vault password:

➜ defaults git:(master) ✗ openssl sha1 main.yml

SHA1(main.yml)= 7c48df4f13402558c0e1ca691250a0e8be0bc548

Ansible vault actually supports the ‘view’ command, since two days ago (version 1.8).
There’s also a pull request to update the docs on the website to reflect this.

• Ramon

Thanks Ramon.

The ansible-vault view command that’s included with version 1.8 is just what I’m looking for. Still I find it surprising that ansible-vault edit command with no saved editor modifications still changes the SHA-1 of the file. But at least I’m aware of this possibility.