Ansible Vault - Issues with Encrypting ansible_password

Bibbi · March 17, 2024, 10:50am

Hi everyone.
I encounter an issue while attempting to encrypt the ansible_password using ansible-vault for connecting to a Windows host with WinRM. Once the password is encrypted and inserted into the vars/main.yaml file, the playbook fails to recognize it for connecting to the host.
Here my playbook:

#test.yaml
---
- hosts: servers
  roles:
    - windows

inventory:

[servers]
IP

[servers:vars]
ansible_user=user
ansible_port=5985
ansible_connection=winrm
ansible_winrm_scheme=http
ansible_winrm_server_cert_validation=ignore
ansible_winrm_kerberos_delegation=true

vars:

---
ansible_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          66303033643362333834373963393231383533333635643334313739383361313238386162313261
          3639623339623335376534316636306133643066656130340a663166343932383632313234623561
          31323466393934613637313734353039363531366138383663333339333562626165623463356530
          6536363164343766300a316162336535656630376532323063333932366535356139386134666435
          63366330303439666139373166373366386161336636653036613438323565383936

ansible.cfg:

[defaults]
vault_password_file = root/open.txt

When executing ansible-playbook -i inventory.ini test.yaml, I encountered the following error:

fatal: [ip]: UNREACHABLE! => { “changed”: false, “msg”: “ssl: auth method ssl requires a password”, “unreachable”: true }

What could be the issue?

Dustin · March 17, 2024, 11:04pm

How are you telling ansible what the vault password is?
According to Ansible-Vault and Ansible Config Settings documentation, there are a couple different ways to tell Ansible what your vault password is.

For my local development stuff, I put my vault password into a text file and then set the ANSIBLE_VAULT_PASSWORD_FILE environment variable to that file location. That way, ansible knows where to find my ansible-vault password and can decrypt the vault to read the contents.

Bibbi · March 18, 2024, 10:32am

I’ve configured the Vault password in ansible.cfg but it seems that Ansible isn’t picking up the ansible_password variable.

Upon running the playbook, I encounter the following error message:

fatal: [IP]: UNREACHABLE! => {"changed": false, "msg": "plaintext: auth method plaintext requires a password", "unreachable": true }

In an attempt to resolve this, I specified the location of ansible_password using vars_file :

- hosts: servers
  vars_file: 
      - /etc/ansible/roles/windows/vars/main.yaml
  roles:
    - windows

However, this resulted in another error:

fatal: [IP]: UNREACHABLE! => { "changed": false, "msg": "plaintext: the specified credentials were rejected by the server", "unreachable": true }

I dont get it.

Dustin · March 18, 2024, 11:28am

As a simple test to see if any of the special characters in your passwords are messing with the Ansible interpreters, try removing all special characters from the password.

If you must have a special character, use underscore “_” or pound “#”. Those don’t have special meaning in most languages.

Bibbi · March 19, 2024, 11:51am

I updated the ansible_winrm_scheme setting from http to https, and now it functions properly. The issue lay within the WinRM configuration.

system · April 18, 2024, 11:51am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.