You have to pass vault password to ansible command not vault file itself. Vault file stores your secrets/variables in encrypted format and vault password is used decrypt it. Pass vault password to ansible command.
You have read this doc: https://docs.ansible.com/ansible/2.7/user_guide/vault.html Take a look at the below link as well: https://serversforhackers.com/c/how-ansible-vault-works https://zaiste.net/ansible_vault_storing_sensitive_data_as_encrypted_variables/ If your roles or playbooks reference encrypted variables, you need to have give Ansible the password to decrypt them. Prior Ansible 2.4, You can do this in two ways: 1). Using the --ask-vault-pass flag will instruct Ansible to ask for the vault password so it can decrypt the variable files correctly. 2). Using —vault-password-file flag will instruct Ansible to reference vault password from file. Ansible playbook use the password with in the reference file to decrypt vault file. Since Ansible 2.4, there is way to provide a vault password is to use the --vault-id option as well. This allow vault files or vars that are encrypted with different passwords can be used at the same time. If your roles or playbooks reference encrypted variables, you need to have give Ansible the password to decrypt them. Prior Ansible 2.4, You can do this in two ways: 1). Using the --ask-vault-pass flag will instruct Ansible to ask for the vault password so it can decrypt the variable files correctly. 2). Using —vault-password-file flag will instruct Ansible to reference vault password from file. Ansible playbook use the password with in the reference file to decrypt vault file. Since Ansible 2.4, there is way to provide a vault password is to use the --vault-id option as well. This allow vault files or vars that are encrypted with different passwords can be used at the same time. That what Andrew was mentioned on his post. On Tuesday, October 30, 2018 at 1:04:03 AM UTC+5:30, Rajendra Rawat wrote: > > Hi Mohan, > > I tried running ad-hoc command as you suggested but it is not working > > ansible <target_hostname> -m ping -u <targer_vm_username> > --vault-password-file <secret_file> > > where "secret_file" was created with password of <targer_vm_username> > ansible-vault create secret_file > cat secret_file > <password> > > Output: > [WARNING]: Error in vault password file loading (default): A vault > password must be specified to decrypt data > ERROR! A vault password must be specified to decrypt data > > Am i doing something wrong? > > > Thanks & Regards > > Rajendra Rawat > > > On Mon, 29 Oct 2018 at 21:19, Mohan L <[email protected] <javascript:>> > wrote: > >> Do you have any problem using vault with ad-hoc?? >> >> Here is a example of how it works. >> >> I have a vault secret file under group_vars like below. You have to use >> ansible-vault create. >> >> # ansible-vault view group_vars/myserver.yml >> >> Vault password: >> >> --- >> >> ansible_user: root >> >> ansible_ssh_pass: password1 >> >> >> I have my vault password stored in file which look like below: >> >> # cat vault_key >> >> myvault@pass >> >> >> I am using ad-hoc command like below and it works. What is your problem? >> >> # ansible myserver -m file -a "dest=/tmp/hello mode=755 state=directory" >> -u root --vault-password-file vault_key >> >> localhost | SUCCESS => { >> >> "changed": false, >> >> "gid": 0, >> >> "group": "root", >> >> "mode": "0755", >> >> "owner": "root", >> >> "path": "/tmp/hello", >> >> "secontext": "unconfined_u:object_r:user_tmp_t:s0", >> >> "size": 6, >> >> "state": "directory", >> >> "uid": 0 >> >> } >> >> >> Thanks >> Mohan L >> >> >> >> On Monday, October 29, 2018 at 6:30:56 PM UTC+5:30, Rajendra Rawat wrote: >>> >>> Hi All, >>> >>> Is it possible to use ansible-vault with ad-hoc commands. >>> Use case: I have not setup ssh key and I want to use ping module on >>> target machine. >>> >>> normal way if we have setup sshkey or pass the text password >>> 1: ansible <target_hostname> -m ping [if ssh key configured] >>> 2: ansible <target_hostname> -m ping --extra-vars >>> "ansible_user=<username> ansible_password=<password>" >>> >>> But I want to do this with ansible-vault. >>> Is it possible ? any help would be appreciated. >>> >>> Thanks & Regards >>> >>> Rajendra Rawat >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/7f859c16-ee20-42fc-9ec4-fa57befbff92%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/7f859c16-ee20-42fc-9ec4-fa57befbff92%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/39ba802f-c34d-4a70-b5a1-9e21f8e883d3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
