How to list the required vault ids for playing a playbook, like list-tags and list-tasks

how to list the required vault ids for playing a playbook, like list-tags and list-tasks?

There is no such feature currently.

The only way to really know if a given string can decrypt an ansible-vaulted value is to try to decrypt the data with it.

The vault header of more recently vaulted data contains the name of the vault password that was used to vault the data. For example, $ANSIBLE_VAULT;1.2;AES256;guess_me would be at the top of any data vaulted with the vault password stored in the file guess_me (or labeled guess_me if environment variables were used instead of files).

So perhaps the simple answer is to recursively grep for vault headers:

$ grep -r '\$ANSIBLE_VAULT;' .

While that may be sufficient for vaulted data contained within a project, it can’t find vaulted data in other parts of the file system or on remote hosts.

also note that ‘vault-id’ is just an optional label to allow users to track secrets, it is not required and even allowed to be omitted at any point, it will act as a preference if it matches, but it is not deterministic.

There is a config flag to make decryption act a little more like you might naively expect, but it’s not the default behaviour.

yes, i’ve enabled this flag.

this should be a static analysis. The real marked vault-ids in the encrypted blocks from the current running playbooks are not possible listed via grep.

Is this possible to implement in the ansible-core as a new feature?

I’ve just posted a shell script to a gist on github — Report configured Ansible Vault IDs and what vaulted blobs they can decrypt · GitHub — which may meet your needs. It uses all your configured Vault IDs and reports which (if any) can decrypt each of the $ANSIBLE_VAULT; blobs it finds in or below your current directory.

I’d be interested to know if that helps, and if not why.

Cheers!

thanks very much!

Here’s a typical output from running that gist (above):

$ vault-id-report.sh
# Configured Vault IDs and Files
abvnk   ~/.vaults/.vaultpass-abvnk
devops  ~/.vaults/.vaultpass-devops
info    ~/.vaults/.vaultpass-info
qi      ~/.vaults/.vaultpass

# IDs decrypting discovered ANSIBLE_VAULT data
qi     ./group_vars/qi_chem/vars.yml:10-18 $ANSIBLE_VAULT;1.2;AES256;qi
devops ./group_vars/qi_chem/vars.yml:21-26 $ANSIBLE_VAULT;1.2;AES256;devops
abvnk  ./group_vars/qi_chem/vars.yml:29-34 $ANSIBLE_VAULT;1.2;AES256;abvnk
qi     ./group_vars/qi_chem/vars.yml:37-45 $ANSIBLE_VAULT;1.2;AES256;qi
qi     ./group_vars/qi_chem_dev/vars.yml:207-213 $ANSIBLE_VAULT;1.2;AES256;qi
<none> ./group_vars/qi_chem_dev/vars.yml:217-223 $ANSIBLE_VAULT;1.2;AES256;
info   ./group_vars/qi_chem_dev/vars.yml:268-356 $ANSIBLE_VAULT;1.2;AES256;info
qi     ./group_vars/qi_chem_dev/vars.yml:493-659 $ANSIBLE_VAULT;1.2;AES256;qi
qi     ./group_vars/qi_chem_prd/vars.yml:207-213 $ANSIBLE_VAULT;1.2;AES256;qi
qi     ./group_vars/qi_chem_prd/vars.yml:217-223 $ANSIBLE_VAULT;1.2;AES256;qi
info   ./group_vars/qi_chem_prd/vars.yml:267-355 $ANSIBLE_VAULT;1.2;AES256;
devops ./group_vars/qi_chem_prd/vars.yml:492-658 $ANSIBLE_VAULT;1.2;AES256;devops
qi     ./group_vars/qi_chem_tst/vars.yml:207-213 $ANSIBLE_VAULT;1.2;AES256;qi
qi     ./group_vars/qi_chem_tst/vars.yml:217-223 $ANSIBLE_VAULT;1.2;AES256;qi
abvnk  ./group_vars/qi_chem_tst/vars.yml:268-356 $ANSIBLE_VAULT;1.2;AES256;
qi     ./group_vars/qi_chem_tst/vars.yml:493-659 $ANSIBLE_VAULT;1.2;AES256;