Ansible Vault tries to Decode Irrelevant Files

Firat_Arig · November 14, 2014, 6:12pm

Hello,

I recently updated our Ansible version at our Jenkins server from 1.6.6 to 1.7.2 and our unencrypted playbooks started requiring vault passes.

Two of our environments didn’t have any encryption on their group_vars files, but the rest of them had.

Prior to the update, it would just work fine, but now my job working at “project_qa” group would fail like:

ERROR: A vault password must be specified to decrypt /var/lib/jenkins/jobs/XX/group_vars/project_prod.yml

It only works as intended when there are absolutely no encrypted files within the group_vars directory.

There are no custom patching on the ansible libraries, its a clean pip installation.

I’d rather not have my vault key distributed to every job.

Thanks,

Michael_DeHaan1 · November 17, 2014, 9:00pm

Ansible doesn’t know what variables you are going to use in a template up front, so any group or host variable in the configuration will be loaded.

You may wish to move your secured files to something like (toplevel) production.yml and do a

ansible-playbook site.yml -e @production.yml

and reduce the number of vault files you have, and this way it would only load the production one.

Alternatively, keep your inventory in different directories

-i inventory/prod/inventory.ini, group_vars, host_vars
-i inventory/dev/inventory.ini, group_vars, host_vars

To keep them isolated.

Topic		Replies	Views
ansible_vault Ansible Project	2	0	May 12, 2023
Need keys for vaulted group vars Ansible Project	1	0	September 20, 2016
Ansible reads all files in host_vars and group_vars instead of just the ones for the specified hosts Ansible Project ubuntu	2	0	May 17, 2016
ansible >=1.7 fails unnecessarily by trying to open irrelevant vaults? Ansible Project	9	0	November 5, 2014
ERROR: A vault password must be specified to decrypt data Ansible Project	7	2	June 11, 2014