I'll need output from the ansible-vault and ansible-playbook commands with the '-vvvvv' verbosity option added to tell you much more.
"Playbook get's executed successfully with providing the vault password file nor the prompt for a vault password and both the file's target.pass and target.yml are encrypted." Not sure I'm able to parse that. Does that mean: - 'ansible-vault --vault-password-file=target.pass --tags kernel /home/ansible/playbooks/oscheck.yml' works? If target.pass is vault encrypted, how are you providing the vault password used to decrypt it? For the quoted example: *openssl rand -base64 2048 > target.pass* *ansible-vault encrypt target.yml --vault-password-file=target.pass* target.pass is not encrypted (by vault or otherwise) (is there a step missing where target.pass is encrypted?) On Tue, Mar 20, 2018 at 12:02 AM, Vino B <akashvin...@gmail.com> wrote: > Hi Adrian, > > I followed the below steps and it is working, so can you please suggest > whether we can use the below procedure or do we have any other good > procedure. > > *Procedure:* > *cd /home/ansible/.ansible* > *vi target.yml* > ansible_user: ansible > ansible_ssh_pass: test123 > ansible_become_pass: test123 > *:wq* > > *openssl rand -base64 2048 > target.pass* > *ansible-vault encrypt target.yml --vault-password-file=target.pass* > > *Execute the play book :* *ansible-playbook > /home/ansible/playbooks/oscheck.yml --tags kernel * > > Playbook get's executed successfully with providing the vault password > file nor the prompt for a vault password and both the file's target.pass > and target.yml are encrypted. > > > From, > Vino.B > > > > > On Monday, March 19, 2018 at 10:59:49 PM UTC+8, Adrian Likins wrote: >> >> responses inline >> >> >> On Mon, Mar 19, 2018 at 1:34 AM, Vino B <akash...@gmail.com> wrote: >> >>> Hi All, >>> >>> Request you help, after upgrade ansible to 2.6 -devel the password >>> vault is not working as expected, and getting the below error, before the >>> upgrade it was working fine without any issues. >>> >>> *ansible-playbook /home/ansible/playbooks/oscheck.yml --syntax-check* >>> >>> [WARNING]: Error in vault password file loading (default): A vault >>> password must be specified to decrypt data >>> >>> ERROR! A vault password must be specified to decrypt data >>> *oscheck.ym*l >>> >> >> >>> */etc/ansible/ansible.cfg* >>> # If set, configures the path to the Vault password file as an >>> alternative to >>> # specifying --vault-password-file on the command line. >>> vault_password_file = /home/ansible/playbooks/target.pass >>> >>> *Procedure to re-produce the issue* >>> vi target.yml >>> ansible_user: ansible >>> ansible_ssh_pass: <password> >>> ansible_become_pass: <password> >>> touch target.pass >>> ansible-vault encrypt target.pass >>> Enter the Vault password : <password> >>> Confirm New Vault password : <password> >>> ansible-vault encrypt target.yml --vault-password-file=target.pass >>> >>> At this point : Error : >>> [WARNING]: Error in vault password file loading (default): A vault >>> password must be specified to decrypt data >>> >>> ERROR! A vault password must be specified to decrypt data >>> >>> >> vault_password_file = /home/ansible/playbooks/target.pass >> 'target.pass' is the file containing the vault password. >> >> >touch target.pass >> >ansible-vault encrypt target.pass >> > Enter the Vault password : <password> >> >> Not sure I understand this step. This will create an empty 'target.pass' >> and >> 'ansible-vault encrypt target.pass' will encrypt it with whatever >> <password> is. >> >> That means: >> >> 1) To use the contents of target.pass as the vault password for a >> playbook, then >> you also need to provide the vault password to decrypt target.pass >> (whatever <password> >> was). >> >> *You can't use the plaintext content of target.pass to decrypt itself. * >> >> You could use another different password to encrypt/decrypt the vault >> password file however. >> >> 2) If you do provide a secondary password to decrypt the 'target.pass' >> vault password file, if it's >> plaintext content is empty it will cause an error. There is a check that >> doesn't allow empty vault passwords. >> >> >> Normal use is that target.pass is not empty and not encrypted, and its >> contents are used as the vault password >> for vault content in playbooks. ie, typically the vault password file is >> not encrypted itself. One or more vault password >> files can be encrypted, but it's not the typical usage. >> >> If target.pass is not empty, and it has been encrypted with >> <another_password>, you can use the vault >> encrypted vault password file, but you have to provide the vault password >> for target.pass <another_password> >> first. >> >> For ex, assuming oscheck.yml uses vault content encrypted with the vault >> password in the plaintext of target.pass >> and target.pass is encrypted with the password 'hunter42': >> >> >> $ ansible-playbook --vault-id @prompt --vault-id target.pass >> /home/ansible/playbooks/oscheck.yml >> Vault password (default): #enter the password for target.pass >> here, ie hunter42 >> >> That will use let target.pass be decrypted by using the password >> 'hunter42' and then the plaintext contents >> of target.pass will be added as another vault password that can be used >> to decrypt vault content in the playbook. >> >> >> >> Even tried the below command, but still no luck. >>> >>> ansible-vault encrypt /home/ansible/playbooks/target.yml >>> --vault-password-file=/home/ansible/playbooks/target.pass >>> >> >> >> The encrypt case is more complicated. Since you can only encrypt with one >> vault password, you need to make sure: >> >> 1) Only one vault password is provided (including vault ids and >> passwords set via configuration) >> >> 2) You specify which vault password to use for encryption with the >> '--encrypt-vault-id' param. >> >> $ ansible-vault encrypt --encrypt-vault-id >> /home/ansible/playbooks/target.pass /home/ansible/playbooks/target.yml >> >> Note: If target.pass is encrypted, you _also_ have to provide the >> vault password used to decrypt it before it can be >> used to encrypt. There was a bug related to that that I >> believe is fixed now, but will verify. >> >> >> -- > You received this message because you are subscribed to the Google Groups > "Ansible Development" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ansible-devel+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-devel+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
