Ansible suddenly fails to read vault passwords

[Jacob Olsen]

G'day all,

New to the group, glad to be here. To not waste too much of anyone's time, I will get straight to it.

When I run some Ansible Playbooks, I now suddenly get this error message:

[The below changed for reasons of internal security]

fatal: [MAS-01]: FAILED! => {"ansible_facts": {}, "ansible-included-files": [], "changed": false, "message": "Attempting to decrypt but no vault secrets found"}

I haven't changed anything anywhere, all I do is a "git pull" every Monday or so. When I use "ansible-vault" to read my vault secrets file locally, the content is decrypted and displayed just fine.

Why has this suddenly started happening? I tried re-cloning my Ansible dir, no luck.

Thx.

J. 

[Jacob Olsen]

It's worth noting, others don't get hit like that when they run the same playbook on my behalf. Why the difference for me?

[Lars Liedtke]

Hey,

how do you enter the vault password? Has this changed somehow? Are you sure you are passing the right vault password? You seem to do when you use ansible-vault but did you do the same for calling ansible normally?

I know trhese questions seem to be like very simple, but i often enough had errors there mysqlf, which where only to blame myself; so I asking these with founded reasons ;-)

Cheers

Lars

Am 30.03.21 um 17:13 schrieb Jacob Olsen:

---

This email, its contents and attachments contain information from J2 Global, Inc. and/or its affiliates which may be privileged, confidential or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution or use of the contents of this message is prohibited. If you have received this email in error, please notify the sender by reply email and delete the original message and any copies.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1a6635c4-764c-4cf3-9cc0-2bd9374d66d0n%40googlegroups.com.

-- 
---
punkt.de GmbH
Lars Liedtke
.infrastructure

Kaiserallee 13a	
76133 Karlsruhe

Tel. +49 721 9109 500
https://infrastructure.punkt.de
in...@punkt.de

AG Mannheim 108285
Geschäftsführer: Jürgen Egeling, Daniel Lienert, Fabian Stein

[ej]

Are you making sure that you're using the same ansible.cfg with the value for "vault_password_file" set correctly each time you run the playbook?  Since it says "no vault secrets found", it sounds like it could not be reading that value in from the config file.  And just running the playbook from a different directory could cause it not to use the correct ansible.cfg.  

Or are you specifying the filename containing the password using the --vault-password-file command-line option instead of using ansible.cfg?  

[Jacob Olsen]

@ej   Yes, "--vault-password-file" is being used. I'm not manually supplying/managing Vault passwords and the playbook is being run from the  same dir as always.

@Lars  Absolutely nothing has been changed by conscious action from my side. I just suddenly got hit by this after having used the same Playbook (the exact same command)  200+ times. I use "--vault-password-file" in the run-command. 

[Jacob Olsen]

In extension: this command:

[changed for reasons of obscurity]

ap --vault-password-file=.vault.pw -t ktb -l MAS-01

Is being run while standing my Ansible source dir where the .vault.pw file is also placed, so why does the reading of that file fail, when it can be decrypted and read just fine using the "ansible-vault..." command?

And thx the for the replies BTW. This is a bit of a head-scratcher, because it should "just work" as I see it.