Vault variable issues

I am trying use a ansible vault variable in my role. I have the ansible vault configured in my ansible.cfg file currently.
The part where I am having the issue in the role is user creation. I am giving it a password and trying to pass a variable that is calling back to the vault variable. AND I have tried to call the vault variable directly. I have my inventory set up with group_vars.

I am using the latest version of ansible-core on AlmaLinux 9 using WSL 2.0

- name: Add the app user appsvc_user
  become: true
  ansible.builtin.user:
    name: appsvc_user
    comment: App Service user
    uid: 1111
    group: appservice_account
    system: true
    shell: /bin/bash
    local: true
    password: "{{ vault_appsvc_password }}"

Here is the command i’m using:

[$USER@hostname:dev]$ ansible-playbook --extra-vars @/mnt/c/Users/$USER/Documents/vscode/ansible/vault.yml  --vault-password-file /mnt/c/Users/$USER/Documents/vscode/.vault_pass /mnt/c/Users/$USER/Documents/vscode/playbooks/venafi_playbook.yml -i /mnt/c/Users/$USER/Documents/vscode/environments/dev/inventory.ini -e "target_servers=aap-test01.example.com ansible_user=$USER" -k

I get the following error

ERROR! Decryption failed (no vault secrets were found that could decrypt) on /mnt/c/Users/$USER/Documents/vscode/ansible/vault.yml

Hi,

Try running your command with -K (capital K, which is short for --ask-become-pass) instead of -k (lowercase k, short for --ask-pass). Also assuming /mnt/c/Users/$USER/Documents/vscode/.vault_pass only comports your password on a single line and have appropriate permissions as stated here.

Hi, my issue isn’t this. I am trying to reference the vault variable in my ansible role. I have my inventory set up like this:
environments/{dev,test,preprod,prod}/group_vars/app_name/vault.yml

And it still isn’t being picked up. I don’t understand why.

Yeah sorry, I’m getting things mixed up; --ask-become-pass is for become, not decrypting vault secrets.

Have you tried directly looking to your secret using your vault pass file, like this: ansible-vault view --vault-password-file /mnt/c/Users/$USER/Documents/vscode/.vault_pass /mnt/c/Users/$USER/Documents/vscode/ansible/vault.yml (or the file containing your secret) ?

Edit: I’m too tired to read properly haha; secret seems to be on a task you referenced up here. Sorry.
I’m also wondering if WSL filesystem permissions wouldn’t cause an issue preventing Ansible to properly read your pass file.

No worries on mixing things up. I am frustrated with this and haven’t worked with vault in a while.

I have tested that. In fact I have the vault file in multiple places. Frustration leads to forgetting WHERE you put the file too. Luckily this is not production.

I edited my previous comment; WSL have a weird way to manage permissions on filesystem, and I’m wondering if storing your pass file on a mounted path couldn’t cause an issue preventing Ansible to properly read it. Could you try to encrypt a simple file in WSL then try to decrypt it using you pass file on /mnt/c/Users/$USER/Documents/vscode/.vault_pass ?

Edit: Also in case you’d have some config that would interfere, could you run ansible-config dump | grep -i vault and post the output here ?

Here is the ansible-config output:

~]$ ansible-config dump |grep -i vault
DEFAULT_ASK_VAULT_PASS(default) = False
DEFAULT_VAULT_ENCRYPT_IDENTITY(default) = None
DEFAULT_VAULT_IDENTITY(default) = default
DEFAULT_VAULT_IDENTITY_LIST(default) = []
DEFAULT_VAULT_ID_MATCH(default) = False
DEFAULT_VAULT_PASSWORD_FILE(default) = None

Also I created the file using ansible-vault.
ansible-vault create test.yml

Set up the yaml and added a line.

And then I was able to decrypt it. I did that all within the WSL/WSL2.0 env. I did not put it on mounted drive.

So, to be clear:

You just created a new encrypted file using ansible-vault create test.yml, that you stored on WSL filesystem (not a mounted one from your Windows machine), and then decrypted it using ansible-vault view --vault-password-file /mnt/c/Users/$USER/Documents/vscode/.vault_pass test.yml command, and managed to see its content without any error nor having been prompt for a password or anything. Is that right ?

Sorry, I manually decrypted it. I will try it again. But I don’t think the decryption process the issue. I still think it is a variable.

See the below output:

[$USER@$HOST ~]$ ansible -m debug -a 'var=groupvars[venafi]' -i /mnt/c/Users/$USER/Documents/vscode/environments/ venafi
[WARNING]: Unable to parse /mnt/c/Users/$USER/Documents/vscode/environments/preprod as an inventory source
[WARNING]: Unable to parse /mnt/c/Users/$USER/Documents/vscode/environments/test as an inventory source
$HOSTNAME | SUCCESS => {
    "groupvars[venafi]": "VARIABLE IS NOT DEFINED!"
}
[$USER@$HOST ~]$

In this example, is “venafi” groupe defined in one of those inventories:

[WARNING]: Unable to parse /mnt/c/Users/$USER/Documents/vscode/environments/preprod as an inventory source
[WARNING]: Unable to parse /mnt/c/Users/$USER/Documents/vscode/environments/test as an inventory source

?

Inventories needs to be readable for associated host/group_vars to be exploitable.

I just haven’t created files for those environments yet. Right now as far as I know we only have dev and prod.

Besides, the errors are just warnings…

I’m a bit rusted but I don’t think there is a groupvars magic variable, so your result would be expected. Something like ansible -i... -m debug -a 'var=hostvars[inventory_hostname]' venafi (to list host_vars for each host in venafi group) would be the closest, though I’m not sure what we’re trying to do.

Besides, the errors are just warnings…

Yeah, though no readable inventories means no host/group_vars

Sorry, I manually decrypted it.

So you are able to decypt a secret manually typing the passphrase. It seems to me the issue resides on the file containing you passphrase. Either passphrase is wrong, badly formated, or your file is unreadable to Ansible, hence my suggestion to try to decrypt a secret using this specific file.