subject:"\[ansible\-devel\] \[WARNING\]\: Error in vault password file loading \(default\)"

Re: [ansible-devel] [WARNING]: Error in vault password file loading (default)

2018-03-22 Thread Adrian Likins

I'll need output from the ansible-vault and ansible-playbook commands with
the '-v'
verbosity option added to tell you much more.

"Playbook get's executed successfully with providing the vault password
file nor the prompt for a vault password and both the file's target.pass
and target.yml are encrypted."

Not sure I'm able to parse that. Does that mean:
- 'ansible-vault --vault-password-file=target.pass --tags kernel
/home/ansible/playbooks/oscheck.yml' works?

If target.pass is vault encrypted, how are you providing the vault password
used to decrypt it?

For the quoted example:

*openssl rand -base64 2048 > target.pass*
*ansible-vault encrypt target.yml --vault-password-file=target.pass*

target.pass is not encrypted (by vault or otherwise)
(is there a step missing where target.pass is encrypted?)


On Tue, Mar 20, 2018 at 12:02 AM, Vino B  wrote:

> Hi Adrian,
>
>   I followed the below steps and it is working, so can you please suggest
> whether we can use the below procedure or do we have any other good
> procedure.
>
> *Procedure:*
> *cd /home/ansible/.ansible*
> *vi target.yml*
>   ansible_user: ansible
>   ansible_ssh_pass: test123
>   ansible_become_pass: test123
> *:wq*
>
> *openssl rand -base64 2048 > target.pass*
> *ansible-vault encrypt target.yml --vault-password-file=target.pass*
>
> *Execute the play book :* *ansible-playbook
> /home/ansible/playbooks/oscheck.yml --tags kernel *
>
> Playbook get's executed successfully with providing the vault password
> file nor the prompt for a vault password and both the file's target.pass
> and target.yml are encrypted.
>
>
> From,
> Vino.B
>
>
>
>
> On Monday, March 19, 2018 at 10:59:49 PM UTC+8, Adrian Likins wrote:
>>
>> responses inline
>>
>>
>> On Mon, Mar 19, 2018 at 1:34 AM, Vino B  wrote:
>>
>>> Hi All,
>>>
>>>Request you help, after upgrade ansible to 2.6 -devel the password
>>> vault is not working as expected, and getting the below error, before the
>>> upgrade it was working fine without any issues.
>>>
>>> *ansible-playbook /home/ansible/playbooks/oscheck.yml --syntax-check*
>>>
>>>  [WARNING]: Error in vault password file loading (default): A vault
>>> password must be specified to decrypt data
>>>
>>> ERROR! A vault password must be specified to decrypt data
>>> *oscheck.ym*l
>>>
>>
>>
>>> */etc/ansible/ansible.cfg*
>>> # If set, configures the path to the Vault password file as an
>>> alternative to
>>> # specifying --vault-password-file on the command line.
>>> vault_password_file = /home/ansible/playbooks/target.pass
>>>
>>> *Procedure to re-produce the issue*
>>> vi target.yml
>>> ansible_user: ansible
>>> ansible_ssh_pass: 
>>> ansible_become_pass: 
>>> touch target.pass
>>> ansible-vault encrypt target.pass
>>> Enter the Vault password : 
>>> Confirm New Vault password : 
>>> ansible-vault encrypt target.yml --vault-password-file=target.pass
>>>
>>> At this point : Error :
>>>  [WARNING]: Error in vault password file loading (default): A vault
>>> password must be specified to decrypt data
>>>
>>> ERROR! A vault password must be specified to decrypt data
>>>
>>>
>> vault_password_file = /home/ansible/playbooks/target.pass
>> 'target.pass' is the file containing the vault password.
>>
>> >touch target.pass
>> >ansible-vault encrypt target.pass
>> > Enter the Vault password : 
>>
>> Not sure I understand this step. This will create an empty 'target.pass'
>> and
>> 'ansible-vault encrypt target.pass' will encrypt it with whatever
>>  is.
>>
>> That means:
>>
>> 1) To use the contents of target.pass as the vault password for a
>> playbook, then
>> you also need to provide the vault password to decrypt target.pass
>> (whatever 
>> was).
>>
>> *You can't use the plaintext content of target.pass to decrypt itself. *
>>
>> You could use another different password to encrypt/decrypt the vault
>> password file however.
>>
>> 2) If you do provide a secondary password to decrypt the 'target.pass'
>> vault password file, if it's
>> plaintext content is empty it will cause an error. There is a check that
>> doesn't allow empty vault passwords.
>>
>>
>> Normal use is that target.pass is not empty and not encrypted, and its
>> contents are used as the vault password
>> for vault content in playbooks.  ie, typically the vault password file is
>> not encrypted itself. One or more vault password
>> files can be encrypted, but it's not the typical usage.
>>
>> If target.pass is not empty, and it has been encrypted with
>> , you can use the vault
>> encrypted vault password file, but you have to provide the vault password
>> for target.pass 
>> first.
>>
>> For ex, assuming oscheck.yml uses vault content encrypted with the vault
>> password in the plaintext of target.pass
>> and target.pass is encrypted with the password 'hunter42':
>>
>>
>>  $ ansible-playbook  --vault-id @prompt --vault-id target.pass
>> /home/ansible/playbooks/oscheck.yml
>>  Vault password (default): #enter the

Re: [ansible-devel] [WARNING]: Error in vault password file loading (default)

2018-03-19 Thread Vino B

Hi Adrian,

Thank you, please correct me if I am wrong,

The vault password file(target.pass) should not be empty and should not be
encrypted.

The file target.yml which contains the below details should we encrypted.
ansible_user: ansible
ansible_ssh_pass: test
ansible_become_pass: test

The password used to encrypt the file target.yml "test" should me the same
in the file target.pass.

As we cannot use plain text in the file target.pass, we have to encrypt the
string "test" using ansible-vault encrypt_string and copy the output to the
file target.pass.

From,
Vino.B


On Mon, 19 Mar 2018, 10:59 PM Adrian Likins  wrote:

> responses inline
>
> On Mon, Mar 19, 2018 at 1:34 AM, Vino B  wrote:
>
>> Hi All,
>>
>>Request you help, after upgrade ansible to 2.6 -devel the password
>> vault is not working as expected, and getting the below error, before the
>> upgrade it was working fine without any issues.
>>
>> *ansible-playbook /home/ansible/playbooks/oscheck.yml --syntax-check*
>>
>>  [WARNING]: Error in vault password file loading (default): A vault
>> password must be specified to decrypt data
>>
>> ERROR! A vault password must be specified to decrypt data
>> *oscheck.ym*l
>>
>
>
>> */etc/ansible/ansible.cfg*
>> # If set, configures the path to the Vault password file as an
>> alternative to
>> # specifying --vault-password-file on the command line.
>> vault_password_file = /home/ansible/playbooks/target.pass
>>
>> *Procedure to re-produce the issue*
>> vi target.yml
>> ansible_user: ansible
>> ansible_ssh_pass: 
>> ansible_become_pass: 
>> touch target.pass
>> ansible-vault encrypt target.pass
>> Enter the Vault password : 
>> Confirm New Vault password : 
>> ansible-vault encrypt target.yml --vault-password-file=target.pass
>>
>> At this point : Error :
>>  [WARNING]: Error in vault password file loading (default): A vault
>> password must be specified to decrypt data
>>
>> ERROR! A vault password must be specified to decrypt data
>>
>>
> vault_password_file = /home/ansible/playbooks/target.pass
> 'target.pass' is the file containing the vault password.
>
> >touch target.pass
> >ansible-vault encrypt target.pass
> > Enter the Vault password : 
>
> Not sure I understand this step. This will create an empty 'target.pass'
> and
> 'ansible-vault encrypt target.pass' will encrypt it with whatever
>  is.
>
> That means:
>
> 1) To use the contents of target.pass as the vault password for a
> playbook, then
> you also need to provide the vault password to decrypt target.pass
> (whatever 
> was).
>
> *You can't use the plaintext content of target.pass to decrypt itself. *
>
> You could use another different password to encrypt/decrypt the vault
> password file however.
>
> 2) If you do provide a secondary password to decrypt the 'target.pass'
> vault password file, if it's
> plaintext content is empty it will cause an error. There is a check that
> doesn't allow empty vault passwords.
>
>
> Normal use is that target.pass is not empty and not encrypted, and its
> contents are used as the vault password
> for vault content in playbooks.  ie, typically the vault password file is
> not encrypted itself. One or more vault password
> files can be encrypted, but it's not the typical usage.
>
> If target.pass is not empty, and it has been encrypted with
> , you can use the vault
> encrypted vault password file, but you have to provide the vault password
> for target.pass 
> first.
>
> For ex, assuming oscheck.yml uses vault content encrypted with the vault
> password in the plaintext of target.pass
> and target.pass is encrypted with the password 'hunter42':
>
>
>  $ ansible-playbook  --vault-id @prompt --vault-id target.pass 
> /home/ansible/playbooks/oscheck.yml
>
>  Vault password (default): #enter the password for target.pass
> here, ie hunter42
>
> That will use let target.pass be decrypted by using the password
> 'hunter42' and then the plaintext contents
> of target.pass will be added as another vault password that can be used to
> decrypt vault content in the playbook.
>
>
>
> Even tried the below command, but still no luck.
>>
>> ansible-vault encrypt /home/ansible/playbooks/target.yml
>> --vault-password-file=/home/ansible/playbooks/target.pass
>>
>
>
> The encrypt case is more complicated. Since you can only encrypt with one
> vault password, you need to make sure:
>
> 1) Only one vault password is provided  (including vault ids and passwords
> set via configuration)
>
> 2) You specify which vault password to use for encryption with the
> '--encrypt-vault-id' param.
>
>  $ ansible-vault encrypt --encrypt-vault-id
> /home/ansible/playbooks/target.pass /home/ansible/playbooks/target.yml
>
>Note: If target.pass is encrypted, you _also_ have to provide the vault
> password used to decrypt it before it can be
>  used to encrypt. There was a bug related to that that I
> believe is fixed now, but will verify.
>
>
>

-- 
You received this

Re: [ansible-devel] [WARNING]: Error in vault password file loading (default)

2018-03-19 Thread Adrian Likins

responses inline

On Mon, Mar 19, 2018 at 1:34 AM, Vino B  wrote:

> Hi All,
>
>Request you help, after upgrade ansible to 2.6 -devel the password
> vault is not working as expected, and getting the below error, before the
> upgrade it was working fine without any issues.
>
> *ansible-playbook /home/ansible/playbooks/oscheck.yml --syntax-check*
>
>  [WARNING]: Error in vault password file loading (default): A vault
> password must be specified to decrypt data
>
> ERROR! A vault password must be specified to decrypt data
> *oscheck.ym*l
>

> */etc/ansible/ansible.cfg*
> # If set, configures the path to the Vault password file as an alternative
> to
> # specifying --vault-password-file on the command line.
> vault_password_file = /home/ansible/playbooks/target.pass
>
> *Procedure to re-produce the issue*
> vi target.yml
> ansible_user: ansible
> ansible_ssh_pass: 
> ansible_become_pass: 
> touch target.pass
> ansible-vault encrypt target.pass
> Enter the Vault password : 
> Confirm New Vault password : 
> ansible-vault encrypt target.yml --vault-password-file=target.pass
>
> At this point : Error :
>  [WARNING]: Error in vault password file loading (default): A vault
> password must be specified to decrypt data
>
> ERROR! A vault password must be specified to decrypt data
>
>
vault_password_file = /home/ansible/playbooks/target.pass
'target.pass' is the file containing the vault password.

>touch target.pass
>ansible-vault encrypt target.pass
> Enter the Vault password : 

Not sure I understand this step. This will create an empty 'target.pass' and
'ansible-vault encrypt target.pass' will encrypt it with whatever
 is.

That means:

1) To use the contents of target.pass as the vault password for a playbook,
then
you also need to provide the vault password to decrypt target.pass
(whatever 
was).

*You can't use the plaintext content of target.pass to decrypt itself. *

You could use another different password to encrypt/decrypt the vault
password file however.

2) If you do provide a secondary password to decrypt the 'target.pass'
vault password file, if it's
plaintext content is empty it will cause an error. There is a check that
doesn't allow empty vault passwords.

Normal use is that target.pass is not empty and not encrypted, and its
contents are used as the vault password
for vault content in playbooks.  ie, typically the vault password file is
not encrypted itself. One or more vault password
files can be encrypted, but it's not the typical usage.

If target.pass is not empty, and it has been encrypted with
, you can use the vault
encrypted vault password file, but you have to provide the vault password
for target.pass 
first.

For ex, assuming oscheck.yml uses vault content encrypted with the vault
password in the plaintext of target.pass
and target.pass is encrypted with the password 'hunter42':

 $ ansible-playbook  --vault-id @prompt --vault-id target.pass
/home/ansible/playbooks/oscheck.yml
 Vault password (default): #enter the password for target.pass
here, ie hunter42

That will use let target.pass be decrypted by using the password 'hunter42'
and then the plaintext contents
of target.pass will be added as another vault password that can be used to
decrypt vault content in the playbook.

Even tried the below command, but still no luck.
>
> ansible-vault encrypt /home/ansible/playbooks/target.yml
> --vault-password-file=/home/ansible/playbooks/target.pass
>

The encrypt case is more complicated. Since you can only encrypt with one
vault password, you need to make sure:

1) Only one vault password is provided  (including vault ids and passwords
set via configuration)

2) You specify which vault password to use for encryption with the
'--encrypt-vault-id' param.

 $ ansible-vault encrypt --encrypt-vault-id  /home/an
sible/playbooks/target.pass /home/ansible/playbooks/target.yml

   Note: If target.pass is encrypted, you _also_ have to provide the vault
password used to decrypt it before it can be
 used to encrypt. There was a bug related to that that I
believe is fixed now, but will verify.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] [WARNING]: Error in vault password file loading (default)

2018-03-18 Thread Vino B

Hi All,

   Request you help, after upgrade ansible to 2.6 -devel the password vault 
is not working as expected, and getting the below error, before the upgrade 
it was working fine without any issues.

*ansible-playbook /home/ansible/playbooks/oscheck.yml --syntax-check*

 [WARNING]: Error in vault password file loading (default): A vault 
password must be specified to decrypt data

ERROR! A vault password must be specified to decrypt data

*ansible --version*
ansible 2.6.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = 
[u'/home/ansible/.ansible/plugins/modules', 
u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.13 (default, Jan 11 2017, 10:56:06) [GCC]

*oscheck.ym*l
---
- hosts: target
  become: true
  become_method: sudo
  gather_facts: no
  vars_files:
  - "/home/ansible/playbooks/target.yml"

*/etc/ansible/ansible.cfg*
# If set, configures the path to the Vault password file as an alternative 
to
# specifying --vault-password-file on the command line.
vault_password_file = /home/ansible/playbooks/target.pass

*Procedure to re-produce the issue*
vi target.yml
ansible_user: ansible
ansible_ssh_pass: 
ansible_become_pass: 
touch target.pass
ansible-vault encrypt target.pass
Enter the Vault password : 
Confirm New Vault password : 
ansible-vault encrypt target.yml --vault-password-file=target.pass

At this point : Error : 
 [WARNING]: Error in vault password file loading (default): A vault 
password must be specified to decrypt data

ERROR! A vault password must be specified to decrypt data

Even tried the below command, but still no luck.

ansible-vault encrypt /home/ansible/playbooks/target.yml 
--vault-password-file=/home/ansible/playbooks/target.pass

From,
Vino.B

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-devel] [WARNING]: Error in vault password file loading (default)

Re: [ansible-devel] [WARNING]: Error in vault password file loading (default)

Re: [ansible-devel] [WARNING]: Error in vault password file loading (default)

[ansible-devel] [WARNING]: Error in vault password file loading (default)

4 matches

Site Navigation

Mail list logo

Footer information