[WARNING]: Error in vault password file loading (default)

Archives Ansible Developer
1

Hi All,

Request you help, after upgrade ansible to 2.6 -devel the password vault is not working as expected, and getting the below error, before the upgrade it was working fine without any issues.

ansible-playbook /home/ansible/playbooks/oscheck.yml --syntax-check

[WARNING]: Error in vault password file loading (default): A vault password must be specified to decrypt data

ERROR! A vault password must be specified to decrypt data

ansible --version
ansible 2.6.0
config file = /etc/ansible/ansible.cfg
configured module search path = [u’/home/ansible/.ansible/plugins/modules’, u’/usr/share/ansible/plugins/modules’]
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.13 (default, Jan 11 2017, 10:56:06) [GCC]

oscheck.yml

2

Hi All,

After analyzing further found that when we move the files “target.yml” and “target.pass” to the folder “/home/ansible/.ansible” then the WARNING disappears and get the below error , if these file’s “target.yml” and “target.pass” contain plain text then it works fine. so the entire vault functionality is not working as expected,basically not able to decrypt.

“ERROR! Attempting to decrypt but no vault secrets found”

File under the Folder “/home/ansible/.ansible”
File : target.yml

ansible_user: ansible
ansible_ssh_pass:
ansible_become_pass:

File: target.pass

From,
Vino.B

3

responses inline

4

Hi Adrian,

Thank you, please correct me if I am wrong,

The vault password file(target.pass) should not be empty and should not be encrypted.

The file target.yml which contains the below details should we encrypted.

ansible_user: ansible
ansible_ssh_pass: test
ansible_become_pass: test

The password used to encrypt the file target.yml “test” should me the same in the file target.pass.

As we cannot use plain text in the file target.pass, we have to encrypt the string “test” using ansible-vault encrypt_string and copy the output to the file target.pass.

From,
Vino.B

5

I’ll need output from the ansible-vault and ansible-playbook commands with the ‘-vvvvv’

verbosity option added to tell you much more.

“Playbook get’s executed successfully with providing the vault password file nor the prompt for a vault password and both the file’s target.pass and target.yml are encrypted.”

Not sure I’m able to parse that. Does that mean:

  • ‘ansible-vault --vault-password-file=target.pass --tags kernel /home/ansible/playbooks/oscheck.yml’ works?

If target.pass is vault encrypted, how are you providing the vault password used to decrypt it?

For the quoted example:

openssl rand -base64 2048 > target.pass
ansible-vault encrypt target.yml --vault-password-file=target.pass

target.pass is not encrypted (by vault or otherwise)

(is there a step missing where target.pass is encrypted?)