responses inline

On Mon, Mar 19, 2018 at 1:34 AM, Vino B <akashvin...@gmail.com> wrote:

> Hi All,
>
>    Request you help, after upgrade ansible to 2.6 -devel the password
> vault is not working as expected, and getting the below error, before the
> upgrade it was working fine without any issues.
>
> *ansible-playbook /home/ansible/playbooks/oscheck.yml --syntax-check*
>
>  [WARNING]: Error in vault password file loading (default): A vault
> password must be specified to decrypt data
>
> ERROR! A vault password must be specified to decrypt data
> *oscheck.ym*l
>


> */etc/ansible/ansible.cfg*
> # If set, configures the path to the Vault password file as an alternative
> to
> # specifying --vault-password-file on the command line.
> vault_password_file = /home/ansible/playbooks/target.pass
>
> *Procedure to re-produce the issue*
> vi target.yml
> ansible_user: ansible
> ansible_ssh_pass: <password>
> ansible_become_pass: <password>
> touch target.pass
> ansible-vault encrypt target.pass
> Enter the Vault password : <password>
> Confirm New Vault password : <password>
> ansible-vault encrypt target.yml --vault-password-file=target.pass
>
> At this point : Error :
>  [WARNING]: Error in vault password file loading (default): A vault
> password must be specified to decrypt data
>
> ERROR! A vault password must be specified to decrypt data
>
>
vault_password_file = /home/ansible/playbooks/target.pass
'target.pass' is the file containing the vault password.

>touch target.pass
>ansible-vault encrypt target.pass
> Enter the Vault password : <password>

Not sure I understand this step. This will create an empty 'target.pass' and
'ansible-vault encrypt target.pass' will encrypt it with whatever
<password> is.

That means:

1) To use the contents of target.pass as the vault password for a playbook,
then
you also need to provide the vault password to decrypt target.pass
(whatever <password>
was).

*You can't use the plaintext content of target.pass to decrypt itself. *

You could use another different password to encrypt/decrypt the vault
password file however.

2) If you do provide a secondary password to decrypt the 'target.pass'
vault password file, if it's
plaintext content is empty it will cause an error. There is a check that
doesn't allow empty vault passwords.


Normal use is that target.pass is not empty and not encrypted, and its
contents are used as the vault password
for vault content in playbooks.  ie, typically the vault password file is
not encrypted itself. One or more vault password
files can be encrypted, but it's not the typical usage.

If target.pass is not empty, and it has been encrypted with
<another_password>, you can use the vault
encrypted vault password file, but you have to provide the vault password
for target.pass <another_password>
first.

For ex, assuming oscheck.yml uses vault content encrypted with the vault
password in the plaintext of target.pass
and target.pass is encrypted with the password 'hunter42':


     $ ansible-playbook  --vault-id @prompt --vault-id target.pass
/home/ansible/playbooks/oscheck.yml
     Vault password (default):     #enter the password for target.pass
here, ie hunter42

That will use let target.pass be decrypted by using the password 'hunter42'
and then the plaintext contents
of target.pass will be added as another vault password that can be used to
decrypt vault content in the playbook.



Even tried the below command, but still no luck.
>
> ansible-vault encrypt /home/ansible/playbooks/target.yml
> --vault-password-file=/home/ansible/playbooks/target.pass
>


The encrypt case is more complicated. Since you can only encrypt with one
vault password, you need to make sure:

1) Only one vault password is provided  (including vault ids and passwords
set via configuration)

2) You specify which vault password to use for encryption with the
'--encrypt-vault-id' param.

     $ ansible-vault encrypt --encrypt-vault-id  /home/an
sible/playbooks/target.pass /home/ansible/playbooks/target.yml

   Note: If target.pass is encrypted, you _also_ have to provide the vault
password used to decrypt it before it can be
             used to encrypt. There was a bug related to that that I
believe is fixed now, but will verify.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to