Re: [ansible-devel] [WARNING]: Error in vault password file loading (default)
Hi Adrian, Thank you, please correct me if I am wrong, The vault password file(target.pass) should not be empty and should not be encrypted. The file target.yml which contains the below details should we encrypted. ansible_user: ansible ansible_ssh_pass: test ansible_become_pass: test The password used to encrypt the file target.yml "test" should me the same in the file target.pass. As we cannot use plain text in the file target.pass, we have to encrypt the string "test" using ansible-vault encrypt_string and copy the output to the file target.pass. From, Vino.B On Mon, 19 Mar 2018, 10:59 PM Adrian Likins <alik...@redhat.com> wrote: > responses inline > > On Mon, Mar 19, 2018 at 1:34 AM, Vino B <akashvin...@gmail.com> wrote: > >> Hi All, >> >>Request you help, after upgrade ansible to 2.6 -devel the password >> vault is not working as expected, and getting the below error, before the >> upgrade it was working fine without any issues. >> >> *ansible-playbook /home/ansible/playbooks/oscheck.yml --syntax-check* >> >> [WARNING]: Error in vault password file loading (default): A vault >> password must be specified to decrypt data >> >> ERROR! A vault password must be specified to decrypt data >> *oscheck.ym*l >> > > >> */etc/ansible/ansible.cfg* >> # If set, configures the path to the Vault password file as an >> alternative to >> # specifying --vault-password-file on the command line. >> vault_password_file = /home/ansible/playbooks/target.pass >> >> *Procedure to re-produce the issue* >> vi target.yml >> ansible_user: ansible >> ansible_ssh_pass: >> ansible_become_pass: >> touch target.pass >> ansible-vault encrypt target.pass >> Enter the Vault password : >> Confirm New Vault password : >> ansible-vault encrypt target.yml --vault-password-file=target.pass >> >> At this point : Error : >> [WARNING]: Error in vault password file loading (default): A vault >> password must be specified to decrypt data >> >> ERROR! A vault password must be specified to decrypt data >> >> > vault_password_file = /home/ansible/playbooks/target.pass > 'target.pass' is the file containing the vault password. > > >touch target.pass > >ansible-vault encrypt target.pass > > Enter the Vault password : > > Not sure I understand this step. This will create an empty 'target.pass' > and > 'ansible-vault encrypt target.pass' will encrypt it with whatever > is. > > That means: > > 1) To use the contents of target.pass as the vault password for a > playbook, then > you also need to provide the vault password to decrypt target.pass > (whatever > was). > > *You can't use the plaintext content of target.pass to decrypt itself. * > > You could use another different password to encrypt/decrypt the vault > password file however. > > 2) If you do provide a secondary password to decrypt the 'target.pass' > vault password file, if it's > plaintext content is empty it will cause an error. There is a check that > doesn't allow empty vault passwords. > > > Normal use is that target.pass is not empty and not encrypted, and its > contents are used as the vault password > for vault content in playbooks. ie, typically the vault password file is > not encrypted itself. One or more vault password > files can be encrypted, but it's not the typical usage. > > If target.pass is not empty, and it has been encrypted with > , you can use the vault > encrypted vault password file, but you have to provide the vault password > for target.pass > first. > > For ex, assuming oscheck.yml uses vault content encrypted with the vault > password in the plaintext of target.pass > and target.pass is encrypted with the password 'hunter42': > > > $ ansible-playbook --vault-id @prompt --vault-id target.pass > /home/ansible/playbooks/oscheck.yml > > Vault password (default): #enter the password for target.pass > here, ie hunter42 > > That will use let target.pass be decrypted by using the password > 'hunter42' and then the plaintext contents > of target.pass will be added as another vault password that can be used to > decrypt vault content in the playbook. > > > > Even tried the below command, but still no luck. >> >> ansible-vault encrypt /home/ansible/playbooks/target.yml >> --vault-password-file=/home/ansible/playbooks/target.pass >> > > > The encrypt case is more complicated. Since you can only encrypt with one > vault password, you need to make sure: > > 1) Only one vault password is provided (including vault ids and passwor
[ansible-devel] Re: [WARNING]: Error in vault password file loading (default)
Hi All, After analyzing further found that when we move the files "target.yml" and "target.pass" to the folder "/home/ansible/.ansible" then the WARNING disappears and get the below error , if these file's "target.yml" and "target.pass" contain plain text then it works fine. so the entire vault functionality is not working as expected,basically not able to decrypt. "ERROR! Attempting to decrypt but no vault secrets found" *File under the Folder "/home/ansible/.ansible"* *File : target.yml* ansible_user: ansible ansible_ssh_pass: ansible_become_pass: *File: target.pass* From, Vino.B On Monday, March 19, 2018 at 1:34:46 PM UTC+8, Vino B wrote: > > Hi All, > >Request you help, after upgrade ansible to 2.6 -devel the password > vault is not working as expected, and getting the below error, before the > upgrade it was working fine without any issues. > > *ansible-playbook /home/ansible/playbooks/oscheck.yml --syntax-check* > > [WARNING]: Error in vault password file loading (default): A vault > password must be specified to decrypt data > > ERROR! A vault password must be specified to decrypt data > > *ansible --version* > ansible 2.6.0 > config file = /etc/ansible/ansible.cfg > configured module search path = > [u'/home/ansible/.ansible/plugins/modules', > u'/usr/share/ansible/plugins/modules'] > ansible python module location = /usr/lib/python2.7/site-packages/ansible > executable location = /usr/bin/ansible > python version = 2.7.13 (default, Jan 11 2017, 10:56:06) [GCC] > > *oscheck.ym*l > --- > - hosts: target > become: true > become_method: sudo > gather_facts: no > vars_files: > - "/home/ansible/playbooks/target.yml" > > */etc/ansible/ansible.cfg* > # If set, configures the path to the Vault password file as an alternative > to > # specifying --vault-password-file on the command line. > vault_password_file = /home/ansible/playbooks/target.pass > > *Procedure to re-produce the issue* > vi target.yml > ansible_user: ansible > ansible_ssh_pass: > ansible_become_pass: > touch target.pass > ansible-vault encrypt target.pass > Enter the Vault password : > Confirm New Vault password : > ansible-vault encrypt target.yml --vault-password-file=target.pass > > At this point : Error : > [WARNING]: Error in vault password file loading (default): A vault > password must be specified to decrypt data > > ERROR! A vault password must be specified to decrypt data > > Even tried the below command, but still no luck. > > ansible-vault encrypt /home/ansible/playbooks/target.yml > --vault-password-file=/home/ansible/playbooks/target.pass > > From, > Vino.B > -- You received this message because you are subscribed to the Google Groups "Ansible Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-devel+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-devel] [WARNING]: Error in vault password file loading (default)
Hi All, Request you help, after upgrade ansible to 2.6 -devel the password vault is not working as expected, and getting the below error, before the upgrade it was working fine without any issues. *ansible-playbook /home/ansible/playbooks/oscheck.yml --syntax-check* [WARNING]: Error in vault password file loading (default): A vault password must be specified to decrypt data ERROR! A vault password must be specified to decrypt data *ansible --version* ansible 2.6.0 config file = /etc/ansible/ansible.cfg configured module search path = [u'/home/ansible/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/site-packages/ansible executable location = /usr/bin/ansible python version = 2.7.13 (default, Jan 11 2017, 10:56:06) [GCC] *oscheck.ym*l --- - hosts: target become: true become_method: sudo gather_facts: no vars_files: - "/home/ansible/playbooks/target.yml" */etc/ansible/ansible.cfg* # If set, configures the path to the Vault password file as an alternative to # specifying --vault-password-file on the command line. vault_password_file = /home/ansible/playbooks/target.pass *Procedure to re-produce the issue* vi target.yml ansible_user: ansible ansible_ssh_pass: ansible_become_pass: touch target.pass ansible-vault encrypt target.pass Enter the Vault password : Confirm New Vault password : ansible-vault encrypt target.yml --vault-password-file=target.pass At this point : Error : [WARNING]: Error in vault password file loading (default): A vault password must be specified to decrypt data ERROR! A vault password must be specified to decrypt data Even tried the below command, but still no luck. ansible-vault encrypt /home/ansible/playbooks/target.yml --vault-password-file=/home/ansible/playbooks/target.pass From, Vino.B -- You received this message because you are subscribed to the Google Groups "Ansible Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-devel+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
