Ansible vault -- "ERROR! playbooks must be a list of plays"

Archives Ansible Project
1

I wouldn’t be surprised if I am using this incorrectly, but I could use some outside input. Consider the following tree (not in a role):
.
├── get_user_info.yml

└── vault.yml

vault.yml contents:

`

2

I wouldn’t be surprised if I am using this incorrectly, but I could use some outside input. Consider the following tree (not in a role):
.
├── get_user_info.yml

└── vault.yml

Q1: I had to use vars_files to get the variables read in. Is that normal? Otherwise, my ansible_user kept defaulting to “NONE” when executing (as seen under debug level 4)

Yes. There are cases where variable files are automatically loaded (e.g. roles, group_vars) but random YAML files adjacent to the playbook is not one of those cases.

I execute the playbook as follows (which works) but get an error toward the end (in the play recap):

ansible-playbook ./get_user_info.yml --vault-id @prompt vault.yml -i /etc/ansible/inventory/windows -e user=someuser-e host=myserver
`

ERROR! playbooks must be a list of plays

`

You ran, disregarding the other flags, ansible-playbook get_user_info.yml vault.yml, so Ansible attempted to execute those files as playbooks. The second one is not a playbook so it errored out.

3

It’s a lot easier if you just encrypt the value and not the whole file so you can find where a variable is defined.
For example

ansible-vault encrypt_string --vault-id dev@password 'foooodev' --name 'the_dev_secret'

Result:

the_dev_secret: !vault |
          $ANSIBLE_VAULT;1.2;AES256;dev
          30613233633461343837653833666333643061636561303338373661313838333565653635353162
          3263363434623733343538653462613064333634333464660a663633623939393439316636633863
          61636237636537333938306331383339353265363239643939666639386530626330633337633833
          6664656334373166630a363736393262666465663432613932613036303963343263623137386239
          6330

https://docs.ansible.com/ansible/latest/user_guide/vault.html

However if you must encrypt the whole file,
You can do the following

  1. create group_vars/all.yml and put the following
    ansible_user: someguy

ansible_password: “{{ vault_ansible_password }}”

  1. create group_vars/vault.yml with the encrypted value of vault_ansible_password

Then you should be able to run
ansible-playbook ./get_user_info.yml -i some_inventory