Trouble with vault multi line password files
22 views
Skip to first unread message
Jorgen-P
Dec 10, 2020, 4:48:18 PM12/10/20
to Ansible Project
Greetings
I have tried to get Ansible vault to use a multi line password file as described in
https://docs.ansible.com/ansible/latest/user_guide/vault.html#storing-vault-passwords
I can not get this to work. I have tried different combinations of the vault-id, vault-password-file, and encrypt-vault-id parameters and it seems like vault uses the entire file for its password rather than a specific line matching the vault id.
For example: create a file f containing some plaintext and a file p with the 2 lines:
v pass
v2 pass2
This works:
ansible-vault encrypt --vault-id v@p f
And this also works:
ansible-vault edit --vault-id v@p f
But then if I change the contents of p, say I remove the second line, then I instead get this error: "ERROR! Decryption failed (no vault secrets were found that could decrypt) for /tmp/tmp.CmrXnTscYP/f"
Ansible is installed from pip on Ubuntu 20.04
ansible 2.10.3
python version = 3.8.5 (default, Jul 28 2020, 12:59:40) [GCC 9.3.0]
I have tried to get Ansible vault to use a multi line password file as described in
https://docs.ansible.com/ansible/latest/user_guide/vault.html#storing-vault-passwords
I can not get this to work. I have tried different combinations of the vault-id, vault-password-file, and encrypt-vault-id parameters and it seems like vault uses the entire file for its password rather than a specific line matching the vault id.
For example: create a file f containing some plaintext and a file p with the 2 lines:
v pass
v2 pass2
This works:
ansible-vault encrypt --vault-id v@p f
And this also works:
ansible-vault edit --vault-id v@p f
But then if I change the contents of p, say I remove the second line, then I instead get this error: "ERROR! Decryption failed (no vault secrets were found that could decrypt) for /tmp/tmp.CmrXnTscYP/f"
Ansible is installed from pip on Ubuntu 20.04
ansible 2.10.3
python version = 3.8.5 (default, Jul 28 2020, 12:59:40) [GCC 9.3.0]
Matt Martz
Dec 10, 2020, 5:20:46 PM12/10/20
to ansible...@googlegroups.com
That documentation is completely bogus. That format doesn't exist.
What is happening is that the *entire* contents of the file is being used as the password.
A vault password file can only contain exactly 1 password and nothing else.
There is an open issue for this: https://github.com/ansible/ansible/issues/72230
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/76111917-0cb6-4853-bdca-ce7b658c159cn%40googlegroups.com.
Jorgen-P
Dec 10, 2020, 6:41:12 PM12/10/20
to Ansible Project
How annoying that it made it in there. Thank you for the info and link.
Reply all
Reply to author
Forward
0 new messages