Ansible Vault Password File Not Being Found

[bdlamprecht]

I had a "basic" installation of Ansible 2.4.0 installed on a VM which I did all of my development for a proof-of-concept on.

Now, I'm trying to move that proof-of-concept environment into a docker container, but am running into issues when using ansible-silo with ansible-vault. Is that a supported feature?

Let me explain my setup a little further. I have some files which I encrypted that my "basic" ansible setup was able to read due to an environment variable called ANSIBLE_VAULT_PASSWORD_FILE which contained the path to a file that contained the password used to decrypt those files.

Now, after "upgrading" to use ansible-silo and running my playbook, I get the following error:

ERROR! The vault password file /home/[USERNAME]/.ansible_vault_pass was not found

But when I execute the command cat home/[USERNAME]/.ansible_vault_pass, it does in fact exist.

Assuming the problem was that the "data" that ansible-silo uses is now the one created by the installation command (defaulting to silo.[USERNAME]), so I found the location of the volume on my VM (discovered by issuing the command docker volume inspect silo.[USERNAME]) and copied the file .ansible_vault_pass to the /_data/ directory of that volume.

Then I changed the existing envrionment variable ANSIBLE_VAULT_PASSWORD_FILE to be just .ansible_vault_pass instead of /home/[USERNAME]/.ansible_vault_pass and ran it again.

However, the error that I'm getting now is the following:

ERROR! The vault password file /home/user/playbooks/.ansible_vault_pass was not found

I'm not sure where the directory /home/user/playbooks/ is located or if I'm going about this in the entirely wrong fashion?

I'd appreciate any help in solving this or providing an alterntive way to accomplish what I'm trying to do from individuals who designed the internal workings of ansible-silo (Thanks for creating it, BTW).

[udondan]

Thanks for the report. We'll add support for the ANSIBLE_VAULT_PASSWORD_FILE env var in the next version. The var is forwarded to the container, but the password file is not available inside.

In the meantime you can create a file ~/.ansible-silo or /etc/ansible/ansible-silo/ansible-silo with the following content:

silo_forward_vault_password_file() {
  local vault_password_dir return=""
  if [[ ! -z "${ANSIBLE_VAULT_PASSWORD_FILE}" ]]; then
    vault_password_dir="$(dirname "${ANSIBLE_VAULT_PASSWORD_FILE}")"
    return+="--volume \"${vault_password_dir}\":\"/tmp/${vault_password_dir}:ro\" "
    return+="--env ANSIBLE_VAULT_PASSWORD_FILE='/tmp/${ANSIBLE_VAULT_PASSWORD_FILE}'"
    echo "${return}"
  fi
}

This will mount the location of your password file as a volume into the container and rewrites ANSIBLE_VAULT_PASSWORD_FILE to point to that mounted directory.

You can read here about how Silo extensions like this work.

Let me know if you have further issues with this.

[udondan]

Github closed this automatically due to #43. Reopening until next version is out.

[bdlamprecht]

Yeah, adding that file to my home directory solved the problem. Thanks again for the quick resolution.

[udondan]

Finally a new Silo release is out which includes above snippet. When using Silo v2.0.4 you can remove the ~/.ansible-silo file.

[bdlamprecht]

Yeah, the new release seems to work fine. Appreciate you fixing this for me.

…

On Mon, Jan 8, 2018 at 7:28 AM, Daniel Schroeder ***@***.***> wrote: Closed #41 <#41>. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#41 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AHbDii8Qq55L_7VjTZjbwgVNDUfl3Epvks5tIiX0gaJpZM4Q3Cpm> .