This Key is working well when it’s plain text
When I encrypt the file with ansible-vault, i get the error: Load key “/home/user/projects/ansible/inventory/group_vars/path/to/key”: invalid format root @ SOME_IP: Permission denied (publickey,password). unreachable: true
I am using $ANSIBLE_VAULT_PASSWORD_FILE to decrypt everything without asking for password.
I have other encrypted secrets in all.yaml that get decrypted.
Can you confirm the decrypted key is valid by direct ssh? Hard to tell for sure but that looks like the target host is rejecting the key format. Not all key formats are accepted by all targets. I have run in to this with Github and Tenable Scanners.
Hmm, it seems it’s not an ansible issue, when i decrypt the key and try it works. Then encrypting the key, it still works. After few minutes, it stop working…
From ansible on ubuntu 18.04 (python 3.6) to target 20.04
#: ansible --version
[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current version: 3.6.9 (default, Jun 29 2022, 11:45:57) [GCC
8.4.0]. This feature will be removed from ansible-core in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
/home/user/.local/lib/python3.6/site-packages/ansible/parsing/vault/init.py:44: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
from cryptography.exceptions import InvalidSignature
ansible [core 2.11.12]
config file = /home/user/projects/ansible/ansible.cfg
configured module search path = [‘/home/user/.ansible/plugins/modules’, ‘/usr/share/ansible/plugins/modules’]
ansible python module location = /home/user/.local/lib/python3.6/site-packages/ansible
ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
executable location = /home/user/.local/bin/ansible
python version = 3.6.9 (default, Jun 29 2022, 11:45:57) [GCC 8.4.0]
jinja version = 3.0.3
libyaml = True
I don’t think what you’re doing is expected to work. ansible_ssh_private_key_file is the path to a private key file used by ssh. That you happen to point it at a file in {{inventory_dir}}/group_vars doesn’t somehow make ssh able to decrypt ansible-vault encrypted files.
That depends entirely on your situation and its security requirements.
This can mean anything, from not encrypting anything, to fancy HSMs, etc.
In any case, it's not something specific to ansible I would say.