ERROR: A vault password must be specified to decrypt data

Hi

I want to use Vault to load password as variable, so I just do:

`
vars_files:

  • vault/passwords.yml
    `

where passwords.yml is just:

password: XXXX

Then:

command: ... --password={{ password }} ...

and here is what I get:

`
ansible-playbook playbook.yml --ask-vault-pass

playbook: playbook.yml

ERROR: A vault password must be specified to decrypt data
`

ansible-playbook 1.6

Any hints what am I doing wrong?

Edgars

Any hints what am I doing wrong?

Well, for one, you're confusing the heck out of me... :wink:

You want to specify the password to a vault file in clear text in a
playbook so that a task can unlock the vault? If that's the case, this
is all wrong.

Vault is designed to *hide* passwords; I think what you're doing is
security-through-confusion. :wink:

        -JP

No, no, it is not in clear text. passwords.yml is encrypted, created with ansible-vault. Here I was just showing its content

Edgars

otrdiena, 2014. gada 15. aprīlis 14:55:47 UTC+2, JP Mens rakstīja:

I just did a quick visual audit of the code where vars_files are loaded, but could see nothing that would break encrypted files.

Please file a bug with all the relevant data and I will try to troubleshoot/fix.

Hi again

I did some troubleshooting and found that it does not work with --check, --list-hosts or --syntax-check options. When I remove these flags then it works as expected. I was actually trying with --check option before and it failed. So, I guess no need for ticket.

BR,
Edgars

otrdiena, 2014. gada 15. aprīlis 15:26:38 UTC+2, James Tanner rakstīja:

I should probably make it work with the check/list flags, so please open a bug if you don’t mind.

Since this affects me as well, I opened an issue:

https://github.com/ansible/ansible/issues/7716

Best regards,
Michael

Per James’s comment, this is now resolved on the development branch!