--ask-vault-pass set but still got: A vault password must be specified to decrypt data

[discordianfish]

Issue Type:

Bug report

Ansible Version:

ansible 1.6 (devel fe88fcb) last updated 2014/04/02 17:33:35 (GMT +200)

Environment:

Host running ubuntu saucy, managed systems running ubuntu precise.

Summary:

I have 3 files in group_vars/: all, prod and test. They are all encrypted by ansible-vault and using the same password. Everything else is plain text/not encrypted.

I'm running the playbook like this:

ansible-playbook -i ansible_hosts playbook.yml --ask-vault-pass

The playbook has 3 plays. One for group 'test', and two for specific hosts. The first two plays run fine although they depend already on encrypted group variables. But the last one dies with:

TASK: [prometheus | create prometheus config] ********************************* 
fatal: [<removed>] => {'msg': 'A vault password must be specified to decrypt data', 'failed': True}
fatal: [<removed>] => {'msg': 'A vault password must be specified to decrypt data', 'failed': True}

FATAL: all hosts have already failed -- aborting

The tasks is straight forward:

  - name: create prometheus config
    template: src=prometheus.conf.j2 dest=/tmp/prometheus.conf
    when: inspect_data|failed

And the only template logic in prometheus.conf.j2 is:

{% for host in groups['all'] %}
  target: "http://{{ hostvars[host].ansible_ssh_host }}:{{prometheus.node_exporter_port}}/metrics" 
{% endfor %}

Steps To Reproduce:

Expected Results:

Actual Results:

[mpdehaan]

Can you share as much as you can about a minimal setup to reproduce this problem, perhaps in a github gist?

Thanks!

[jctanner]

@discordianfish I am not able to reproduce this based on your description. I do notice that your task is prefixed by a role name, so could you please show the output from "tree ." in your playbook directory?

[discordianfish]

@jctanner Here is the tree output with the role in question. And a small correction: I have also two host_vars/ files that are encrypted and part of the 'prod' group.

@mpdehaan I'll try to come up with a minimal example if I find time tomorrow.

├── ansible_hosts
├── group_vars
│   ├── all [encrypted]
│   ├── prod [encrypted]
│   └── test [encrypted]
├── host_vars
│   ├── <host-a-in-group-prod> [encrypted]
│   └── <host-b-in-group-prod> [encrypted]
├── playbook.yml
└── roles
...
    ├── prometheus
    │   ├── files
    │   │   └── prometheus.rules
    │   ├── tasks
    │   │   └── main.yml
    │   └── templates
    │       └── prometheus.conf.j2

[discordianfish]

Okay here is a minimal example: http://5pi.de/ansible-issue-6820-playbook.tar.gz
The only encrypted file is group_vars/all and the password is foobar23 (but the only content is the 'ansible_ssh_user: ops'.
If you remove one of the hosts from ansible_hosts it works again shrug. Here is a tree output if it helps:

.
├── ansible_hosts
├── conf.j2
├── group_vars
│   └── all
└── site.yml

[johanmeiring]

I picked up the same problem this morning. It almost exactly matches @discordianfish's issue. The pattern that I've identified is that using hostvars in a template does not work properly when at least one group_vars file is encrypted.

Here is my template loop:

{% for host in groups['all'] %}
{{ hostvars[host]['ansible_default_ipv4']['address'] }}  {{ hostvars[host]['ansible_fqdn'] }}  {{ hostvars[host]['ansible_hostname'] }}
{% endfor %}

One of my files in group_vars/ is encrypted. If I unencrypt the file, everything works perfectly.

[discordianfish]

@mpdehaan / @jctanner Could we raise the severity? This makes ansible-vault completely useless.

[jctanner]

Reproduced via the tarball files. Debugging now.

[jctanner]

@discordianfish and @johanmeiring this should be fixed in devel now. Please let me know otherwise.

[discordianfish]

Now I'm getting: {'msg': "One or more undefined variables: 'dict object' has no attribute 'ansible_ssh_host'", 'failed': True} although not sure if related. Will check tomorrow.

[jctanner]

@discordianfish the only change i made to the files in your tarball were to the inventory file:

$ cat ansible_hosts 
[test]
test01 ansible_ssh_host=127.0.0.2
test02 ansible_ssh_host=127.0.0.3

And the result is ...

$ ansible-playbook -v -i ansible_hosts site.yml --ask-vault-pass
Vault password: 

PLAY [test01] ***************************************************************** 

GATHERING FACTS *************************************************************** 
ok: [test01]

TASK: [create config] ********************************************************* 
changed: [test01] => {"changed": true, "dest": "/tmp/conf", "gid": 0, "group": "root", "md5sum": "17437e42d7df3d68f9f3c0a3b41e8ba2", "mode": "0600", "owner": "root", "size": 32, "src": "/root/.ansible/tmp/ansible-tmp-1396641976.77-155139643866191/source", "state": "file", "uid": 0}

PLAY RECAP ******************************************************************** 
test01                     : ok=2    changed=1    unreachable=0    failed=0

[twidi]

I had this problem a few days ago, trying to get vars from a host for which facts were not yet read.

To resolve this, i added a pretask to gather facts for all hosts

[discordianfish]

@jctanner Never mind, this was unrelated (a "host" in my ansible_hosts had really no ansible_ssh_host), so all good!

[jbristow0]

I'm having this problem. Running ansible-playbook version 1.8.2 on Linux Mint 17. What version was it supposed to be fixed in?

[richard-scott]

I'm still having issues with v2.0.0.2-2 on Ubuntu 16.04. The 'ansible-vault' command works perfectly, but ansible-playbook always produce this error:

TASK [Get git credentials] *****************************************************
fatal: [172.22.2.93]: FAILED! => {"failed": true, "msg": "ERROR! Decryption failed"}

I've tried it with both --ask-vault-pass AND --vault-password-file and both fail to work for me ;-(

[richard-scott]

I've found my issue, Ansible Vault is not usable when you require output to be unbuffered.

For example:

$ unbuffer ansible-playbook --vault-password-file ~/.vault_pass.txt -vv create.ansible.yml | tee ~/output.log 

I do this so my logs have colour in them :-)

Obviously in the playbook I have an 'include_vars: vault.yml' type line to include my vault data.

If I remove the unbuffer command things run smoothly and vault data is usable.