ERROR: A vault password must be specified to decrypt data

[Edgars]

Hi

I want to use Vault to load password as variable, so I just do:

    vars_files:
    - vault/passwords.yml

where passwords.yml is just:

password: XXXX

Then:

command: ... --password={{ password }} ...

and here is what I get:

ansible-playbook playbook.yml --ask-vault-pass


playbook: playbook.yml


ERROR: A vault password must be specified to decrypt data

ansible-playbook 1.6

Any hints what am I doing wrong?

Edgars

[Jan-Piet Mens]

> Any hints what am I doing wrong?

Well, for one, you're confusing the heck out of me... ;)

You want to specify the password to a vault file in clear text in a
playbook so that a task can unlock the vault? If that's the case, this
is all wrong.

Vault is designed to *hide* passwords; I think what you're doing is
security-through-confusion. ;-)

-JP

[Edgars]

No, no, it is not in clear text. passwords.yml is encrypted, created with ansible-vault. Here I was just showing its content

Edgars

[James Tanner]

I just did a quick visual audit of the code where vars_files are loaded, but could see nothing that would break encrypted files.

Please file a bug with all the relevant data and I will try to troubleshoot/fix.

-- 
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/deb60f30-e945-4dc1-9d6c-acb979ff785c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Edgars]

Hi again

I did some troubleshooting and found that it does not work with --check, --list-hosts or --syntax-check options. When I remove these flags then it works as expected. I was actually trying with --check option before and it failed. So, I guess no need for ticket.

BR,

Edgars

otrdiena, 2014. gada 15. aprīlis 15:26:38 UTC+2, James Tanner rakstīja:

I just did a quick visual audit of the code where vars_files are loaded, but could see nothing that would break encrypted files.

Please file a bug with all the relevant data and I will try to troubleshoot/fix.

On Apr 15, 2014, at 9:01 AM, Edgars <edgars...@gmail.com> wrote:

No, no, it is not in clear text. passwords.yml is encrypted, created with ansible-vault. Here I was just showing its content

Edgars

otrdiena, 2014. gada 15. aprīlis 14:55:47 UTC+2, JP Mens rakstīja:

> Any hints what am I doing wrong? 

Well, for one, you're confusing the heck out of me... ;) 

You want to specify the password to a vault file in clear text in a 
playbook so that a task can unlock the vault? If that's the case, this 
is all wrong. 

Vault is designed to *hide* passwords; I think what you're doing is 
security-through-confusion. ;-) 

        -JP 

-- 
You received this message because you are subscribed to the Google Groups "Ansible Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsub...@googlegroups.com.

[James Tanner]

I should probably make it work with the check/list flags, so please open a bug if you don’t mind.

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/38d60c2e-191d-4673-98e1-48602c13b319%40googlegroups.com.

[Michael Hauck]

Since this affects me as well, I opened an issue:

https://github.com/ansible/ansible/issues/7716

Best regards,
Michael

[Michael DeHaan]

Per James's comment, this is now resolved on the development branch!

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0adee127-391a-4c40-8d0c-91418b361bde%40googlegroups.com.