Ansible vault -- "ERROR! playbooks must be a list of plays"

462 views
Skip to first unread message

John Harmon

unread,
Jan 17, 2019, 11:35:12 AM1/17/19
to Ansible Project

I wouldn't be surprised if I am using this incorrectly, but I could use some outside input.  Consider the following tree (not in a role):
.
├── get_user_info.yml
└── vault.yml

vault.yml contents:
---
ansible_user: someguy
ansible_password: SecretPassword

get_user_info.yml contents:
---
- hosts: "{{ host }}"
  gather_facts: false
  vars_files:
    - vault.yml
  tasks:
    - name: "Gather info for user {{ user }}"
      win_domain_user:
        name: "{{ user }}"
        state: query
      register:
        aduser

...debug stuff here...

Q1: I had to use vars_files to get the variables read in.  Is that normal?  Otherwise, my ansible_user kept defaulting to "NONE" when executing (as seen under debug level 4)

I execute the playbook as follows (which works) but get an error toward the end (in the play recap):
ansible-playbook ./get_user_info.yml --vault-id @prompt vault.yml -i /etc/ansible/inventory/windows -e user=someuser-e host=myserver

Output:
Vault password (default):

PLAY [myserver] *****************************************************************************************************************************************************************************************************************************

TASK [Gather info for user someuser] ******************************************************************************************************************************************************************************************************
ok: [myserver]

TASK [debug] *****************************************************************************************************************************************************************************************************************************
... a bunch of output here for someuser ...

PLAY RECAP *******************************************************************************************************************************************************************************************************************************
myserver                      : ok=4    changed=0    unreachable=0    failed=0

ERROR! playbooks must be a list of plays

The error appears to have been in '/etc/ansible/tower/remove_user/vault.yml': line 2, column 1, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

$ANSIBLE_VAULT;1.1;AES256
63386238333136363662343339353362326564386230393766646263386639393838366433336261
^ here

Q2:  If I am not using vault correctly, can someone please correct me?
Q3:  I don't understand why I am encountering the error in the play recap.  Can somebody explain that to me?

flowerysong

unread,
Jan 17, 2019, 12:15:29 PM1/17/19
to Ansible Project
On Thursday, January 17, 2019 at 11:35:12 AM UTC-5, John Harmon wrote:

I wouldn't be surprised if I am using this incorrectly, but I could use some outside input.  Consider the following tree (not in a role):
.
├── get_user_info.yml
└── vault.yml

Q1: I had to use vars_files to get the variables read in.  Is that normal?  Otherwise, my ansible_user kept defaulting to "NONE" when executing (as seen under debug level 4)

Yes. There are cases where variable files are automatically loaded (e.g. roles, group_vars) but random YAML files adjacent to the playbook is not one of those cases.
 
I execute the playbook as follows (which works) but get an error toward the end (in the play recap):
ansible-playbook ./get_user_info.yml --vault-id @prompt vault.yml -i /etc/ansible/inventory/windows -e user=someuser-e host=myserver

ERROR! playbooks must be a list of plays


You ran, disregarding the other flags, `ansible-playbook get_user_info.yml vault.yml`, so Ansible attempted to execute those files as playbooks. The second one is not a playbook so it errored out.

Tony Chia

unread,
Jan 18, 2019, 12:13:24 AM1/18/19
to Ansible Project
It's a lot easier if you just encrypt the value and not the whole file so you can find where a variable is defined.
For example
ansible-vault encrypt_string --vault-id dev@password 'foooodev' --name 'the_dev_secret'

Result:

the_dev_secret: !vault |
          $ANSIBLE_VAULT;1.2;AES256;dev
          30613233633461343837653833666333643061636561303338373661313838333565653635353162
          3263363434623733343538653462613064333634333464660a663633623939393439316636633863
          61636237636537333938306331383339353265363239643939666639386530626330633337633833
          6664656334373166630a363736393262666465663432613932613036303963343263623137386239
          6330



However if you must encrypt the whole file,
You can do the following

1) create group_vars/all.yml and put the following 
ansible_user: someguy
ansible_password: "{{ vault_ansible_password }}"

2) create group_vars/vault.yml with the encrypted value of vault_ansible_password

Then you should be able to run 
ansible-playbook ./get_user_info.yml -i some_inventory
Reply all
Reply to author
Forward
0 new messages