exhaust list of vault ids before failing

changelogs/fragments/75540-warn-invalid-configured-vault-secret-files.yaml

@@ -0,0 +1,2 @@
+bugfixes:
+  - vault - Warn instead of fail for missing vault IDs if at least one valid vault secret is found.

lib/ansible/cli/__init__.py

@@ -175,6 +175,7 @@ def setup_vault_secrets(loader, vault_ids, vault_password_files=None,
                                         create_new_password,
                                         auto_prompt=auto_prompt)
 
+        last_exception = found_vault_secret = None
         for vault_id_slug in vault_ids:
             vault_id_name, vault_id_value = CLI.split_vault_id(vault_id_slug)
             if vault_id_value in ['prompt', 'prompt_ask_vault_pass']:
@@ -198,6 +199,7 @@ def setup_vault_secrets(loader, vault_ids, vault_password_files=None,
                     display.warning('Error in vault password prompt (%s): %s' % (vault_id_name, exc))
                     raise
 
+                found_vault_secret = True
                 vault_secrets.append((built_vault_id, prompted_vault_secret))
 
                 # update loader with new secrets incrementally, so we can load a vault password
@@ -208,17 +210,23 @@ def setup_vault_secrets(loader, vault_ids, vault_password_files=None,
             # assuming anything else is a password file
             display.vvvvv('Reading vault password file: %s' % vault_id_value)
             # read vault_pass from a file
-            file_vault_secret = get_file_vault_secret(filename=vault_id_value,
-                                                      vault_id=vault_id_name,
-                                                      loader=loader)
+            try:
+                file_vault_secret = get_file_vault_secret(filename=vault_id_value,
+                                                          vault_id=vault_id_name,
+                                                          loader=loader)
+            except AnsibleError as exc:
+                display.warning('Error getting vault password file (%s): %s' % (vault_id_name, to_text(exc)))
+                last_exception = exc
+                continue
 
-            # an invalid password file will error globally
             try:
                 file_vault_secret.load()
             except AnsibleError as exc:
                 display.warning('Error in vault password file loading (%s): %s' % (vault_id_name, to_text(exc)))
-                raise
+                last_exception = exc
+                continue
 
+            found_vault_secret = True
             if vault_id_name:
                 vault_secrets.append((vault_id_name, file_vault_secret))
             else:
@@ -227,6 +235,11 @@ def setup_vault_secrets(loader, vault_ids, vault_password_files=None,
             # update loader with as-yet-known vault secrets
             loader.set_vault_secrets(vault_secrets)
 
+        # An invalid or missing password file will error globally
+        # if no valid vault secret was found.
+        if last_exception and not found_vault_secret:
+            raise last_exception
+
         return vault_secrets
 
     @staticmethod

test/integration/targets/ansible-vault/runme.sh

@@ -521,4 +521,29 @@ ansible-playbook -i ../../inventory -v "$@" --vault-password-file vault-password
 # Ensure we don't leave unencrypted temp files dangling
 ansible-playbook -v "$@" --vault-password-file vault-password test_dangling_temp.yml
 
-ansible-playbook "$@" --vault-password-file vault-password single_vault_as_string.yml
+ansible-playbook "$@" --vault-password-file vault-password single_vault_as_string.yml
+
+# Test that only one accessible vault password is required
+export ANSIBLE_VAULT_IDENTITY_LIST="id1@./nonexistent, id2@${MYTMPDIR}/unreadable, id3@./vault-password"
+
+touch "${MYTMPDIR}/unreadable"
+sudo chmod 000 "${MYTMPDIR}/unreadable"
+
+ansible-vault encrypt_string content
+ansible-vault encrypt_string content --encrypt-vault-id id3
+
+set +e
+
+# Try to use a missing vault password file
+ansible-vault encrypt_string content --encrypt-vault-id id1 2>&1 | tee out.txt
+test $? -ne 0
+grep out.txt -e '[WARNING]: Error getting vault password file (id1)'
+grep out.txt -e "ERROR! Did not find a match for --encrypt-vault-id=id2 in the known vault-ids ['id3']"
+
+# Try to use an inaccessible vault password file
+ansible-vault encrypt_string content --encrypt-vault-id id2 2>&1 | tee out.txt
+test $? -ne 0
+grep out.txt -e "[WARNING]: Error in vault password file loading (id2)"
+grep out.txt -e "ERROR! Did not find a match for --encrypt-vault-id=id2 in the known vault-ids ['id3']"
+
+set -e