The ansible provisioner not longer prompts for the vault password when using ansible 2.4.0.0 with ask_vault_pass set to true. #9033
Comments
|
@IanCaunce Thank you for reporting this. As you mentioned, this problem is caused by a change in Ansible 2.4, not in Vagrant. I am quite unsure that something can be done in Vagrant itself (see similar story in #2924, about the impossibility to handle non-private variable prompts). This must be reported to Ansible project. I suspect that ansible/ansible#30993 is related to same change (removal of See also more details here: https://stackoverflow.com/a/46477011 |
|
After reading that stackoverflow I thought that was the case but wanted to report it here just in case a fix could be applied in vagrant to support ansible's new logic. Thanks for the feedback! |
* Fix vault --ask-vault-pass with no tty
2.4.0 added a check for isatty() that would skip setting up interactive
vault password prompts if not running on a tty.
But... getpass.getpass() will fallback to reading from stdin if
it gets that far without a tty. Since 2.4.0 skipped the interactive
prompts / getpass.getpass() in that case, it would never get a chance
to fall back to stdin.
So if 'echo $VAULT_PASSWORD| ansible-playbook --ask-vault-pass site.yml'
was ran without a tty (ie, from a jenkins job or via the vagrant
ansible provisioner) the 2.4 behavior was different than 2.3. 2.4
would never read the password from stdin, resulting in a vault password
error like:
ERROR! Attempting to decrypt but no vault secrets found
Fix is just to always call the interactive password prompts based
on getpass.getpass() on --ask-vault-pass or --vault-id @prompt and
let getpass sort it out.
* up test_prompt_no_tty to expect prompt with no tty
We do call the PromptSecret class if there is no tty, but
we are back to expecting it to read from stdin in that case.
* Fix logic for when to auto-prompt vault pass
If --ask-vault-pass is used, then pretty much always
prompt.
If it is not used, then prompt if there are no other
vault ids provided and 'auto_prompt==True'.
Fixes vagrant bug hashicorp/vagrant#9033
Fixes #30993
* Fix vault --ask-vault-pass with no tty
2.4.0 added a check for isatty() that would skip setting up interactive
vault password prompts if not running on a tty.
But... getpass.getpass() will fallback to reading from stdin if
it gets that far without a tty. Since 2.4.0 skipped the interactive
prompts / getpass.getpass() in that case, it would never get a chance
to fall back to stdin.
So if 'echo $VAULT_PASSWORD| ansible-playbook --ask-vault-pass site.yml'
was ran without a tty (ie, from a jenkins job or via the vagrant
ansible provisioner) the 2.4 behavior was different than 2.3. 2.4
would never read the password from stdin, resulting in a vault password
error like:
ERROR! Attempting to decrypt but no vault secrets found
Fix is just to always call the interactive password prompts based
on getpass.getpass() on --ask-vault-pass or --vault-id @prompt and
let getpass sort it out.
* up test_prompt_no_tty to expect prompt with no tty
We do call the PromptSecret class if there is no tty, but
we are back to expecting it to read from stdin in that case.
* Fix logic for when to auto-prompt vault pass
If --ask-vault-pass is used, then pretty much always
prompt.
If it is not used, then prompt if there are no other
vault ids provided and 'auto_prompt==True'.
Fixes vagrant bug hashicorp/vagrant#9033
Fixes #30993
(cherry picked from commit 86dc3c0)
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
The ansible provisioner not longer prompts for the vault password when using ansible
2.4.0.0withask_vault_passset totrue.Vagrant exits with the error:
After some googleing I found this stackoverflow post.
Tested using vagrant version
1.9.1,1.9.5and2.0.0.Host OS:
Ubuntu 16.04Kernel:
4.10.0-35-genericGuest OS:
ubuntu/xenial64Expected Behaviour:
Vagrant should prompt the user for the vault password.
Actual Behaviour:
Vagrant doesn't prompt the user and exits.
Vagrant File
The text was updated successfully, but these errors were encountered: