I have set a vault_password_file in ansible.cfg to point to an executable that uses a yubikey to decrypt the password file stored in my home directory. Now I’m trying to use ansible-lint to check my playbooks and I’m setting both the vault_path and vault_password_file in .ansible-lint. I have checked that the variables are set correctly in the ansible call from ansible-lint, but still the regular (set in ansible.cfg) version of vault_password_file is used
11:40:31:(lint):~/git/ansible $ ansible-config dump --only-changed
CONFIG_FILE() = /home/joso/git/ansible/ansible.cfg
DEFAULT_ASK_VAULT_PASS(/home/joso/git/ansible/ansible.cfg) = False
DEFAULT_HOST_LIST(/home/joso/git/ansible/ansible.cfg) = ['/home/joso/git/ansible/inventory.yaml']
DEFAULT_LOAD_CALLBACK_PLUGINS(/home/joso/git/ansible/ansible.cfg) = True
DEFAULT_ROLES_PATH(/home/joso/git/ansible/ansible.cfg) = ['/home/joso/git/ansible/roles', '/usr/share/ansible/roles', '/etc/ansible/roles']
DEFAULT_STDOUT_CALLBACK(/home/joso/git/ansible/ansible.cfg) = debug
DEFAULT_VAULT_PASSWORD_FILE(/home/joso/git/ansible/ansible.cfg) = /home/joso/.ansible/get_vault_pass.sh
EDITOR(env: EDITOR) = vim
PLAYBOOK_DIR(/home/joso/git/ansible/ansible.cfg) = /home/joso/git/ansible/playbooks
11:49:54:(lint):~/git/ansible $ cat dummy
11:51:30:(lint):~/git/ansible $ cat .vault_lint_pass
fake-secret
11:51:31:(lint):~/git/ansible $ cat playbooks/setup/travel_router.yaml
---
- name: Setup travel router
hosts: travel-router
gather_facts: false
vars_files:
- "{{ vault_path }}"
roles:
- proxmox
11:51:35:(lint):~/git/ansible $ ansible-playbook playbooks/setup/travel_router.yaml --extra-vars 'vault_path=dummy vault_password_file=.vault_lint_pass'
Please touch the flashing Yubikey
Is this expected? any way that I can use extra-vars to prevent the default vault from being used/decrypted?
vault_passphrase_file
To override the configuration option, use environment variable:
ANSIBLE_VAULT_PASSWORD_FILE=.vault_lint_pass ansible-playbook ...
There’s also a cli option --vault-password-file but that doesn’t seem to override the existing one, but add another password so your yubikey script would still be executed.
1 Like
--vault-password-file cli option not overriding the configuration seemed like a bug, so I submitted an issue to ansible repository:
opened 11:38AM - 07 Apr 25 UTC
### Summary
From [the docs](https://docs.ansible.com/ansible/latest/reference_a… ppendices/general_precedence.html#command-line-options):
> Any command-line option will override any configuration setting.
This doesn't seem to be case for `--vault-password-file` option, which seems to add another passphrase instead of overriding one in configuration file or environment variable.
### Issue Type
Bug Report
### Component Name
vault
### Ansible Version
```console
$ ansible --version
ansible [core 2.18.4]
config file = /home/kristian/projects/ansible-playground/ansible.cfg
configured module search path = ['/home/kristian/projects/ansible-playground/plugins/modules']
ansible python module location = /home/kristian/projects/ansible-playground/venv/lib/python3.12/site-packages/ansible
ansible collection location = /home/kristian/projects/ansible-playground/.galaxy:/home/kristian/projects/ansible-playground
executable location = /home/kristian/projects/ansible-playground/venv/bin/ansible
python version = 3.12.3 (main, Feb 4 2025, 14:48:35) [GCC 13.3.0] (/home/kristian/projects/ansible-playground/venv/bin/python3)
jinja version = 3.1.6
libyaml = True
```
### Configuration
```console
# if using a version older than ansible-core 2.12 you should omit the '-t all'
$ ansible-config dump --only-changed -t all
CONFIG_FILE() = None
EDITOR(env: EDITOR) = nano
PAGER(env: PAGER) = cat
```
### OS / Environment
Ubuntu 24.04, Python 3.12.3
### Steps to Reproduce
Simple test case with enviroment variable and cli arg.
```shell
$ echo "secret-password" > vault-password
$ ANSIBLE_VAULT_PASSWORD_FILE=vault-password ansible-vault encrypt_string --vault-password-file=vault-password
...
ERROR! The vault-ids default,default are available to encrypt. Specify the vault-id to encrypt with --encrypt-vault-id
```
Same happens when vault passphrase is set in `ansible.cfg`
### Expected Results
Expected for ansible to use `--vault-password-file` option overriding the enviroment varibale.
### Actual Results
```console
...
ERROR! The vault-ids default,default are available to encrypt. Specify the vault-id to encrypt with --encrypt-vault-id
```
### Code of Conduct
- [x] I agree to follow the Ansible Code of Conduct
bcoca
April 7, 2025, 3:10pm
4
not a bug, it was designed that way … sadly not all options behave the same way, most override, but some are additive .. sadly we don’t indicate this well.
So what’s the recommended way to be able to lint this?, ansible-lint doesn’t pass stdout from every call onto it’s own stdout, so I cannot even tell that it’s expecting me to touch my yubikey
Also at this point I need to touch the yubikey 7 times in order for this to work (and again, I only know because I know how many playbooks are out there), but that could grow quickly when I start adding more playbooks. It’s also impossible for me to be touching the yubikey in CI
bcoca
April 7, 2025, 3:30pm
6
You were already given a solution that does override the ansible.cfg, I’m just stating that the CLI option does not and that is by design.