-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The ansible provisioner not longer prompts for the vault password when using ansible 2.4.0.0 with ask_vault_pass set to true. #9033
Comments
@IanCaunce Thank you for reporting this. As you mentioned, this problem is caused by a change in Ansible 2.4, not in Vagrant. I am quite unsure that something can be done in Vagrant itself (see similar story in #2924, about the impossibility to handle non-private variable prompts). This must be reported to Ansible project. I suspect that ansible/ansible#30993 is related to same change (removal of See also more details here: https://stackoverflow.com/a/46477011 |
After reading that stackoverflow I thought that was the case but wanted to report it here just in case a fix could be applied in vagrant to support ansible's new logic. Thanks for the feedback! |
* Fix vault --ask-vault-pass with no tty 2.4.0 added a check for isatty() that would skip setting up interactive vault password prompts if not running on a tty. But... getpass.getpass() will fallback to reading from stdin if it gets that far without a tty. Since 2.4.0 skipped the interactive prompts / getpass.getpass() in that case, it would never get a chance to fall back to stdin. So if 'echo $VAULT_PASSWORD| ansible-playbook --ask-vault-pass site.yml' was ran without a tty (ie, from a jenkins job or via the vagrant ansible provisioner) the 2.4 behavior was different than 2.3. 2.4 would never read the password from stdin, resulting in a vault password error like: ERROR! Attempting to decrypt but no vault secrets found Fix is just to always call the interactive password prompts based on getpass.getpass() on --ask-vault-pass or --vault-id @prompt and let getpass sort it out. * up test_prompt_no_tty to expect prompt with no tty We do call the PromptSecret class if there is no tty, but we are back to expecting it to read from stdin in that case. * Fix logic for when to auto-prompt vault pass If --ask-vault-pass is used, then pretty much always prompt. If it is not used, then prompt if there are no other vault ids provided and 'auto_prompt==True'. Fixes vagrant bug hashicorp/vagrant#9033 Fixes #30993
* Fix vault --ask-vault-pass with no tty 2.4.0 added a check for isatty() that would skip setting up interactive vault password prompts if not running on a tty. But... getpass.getpass() will fallback to reading from stdin if it gets that far without a tty. Since 2.4.0 skipped the interactive prompts / getpass.getpass() in that case, it would never get a chance to fall back to stdin. So if 'echo $VAULT_PASSWORD| ansible-playbook --ask-vault-pass site.yml' was ran without a tty (ie, from a jenkins job or via the vagrant ansible provisioner) the 2.4 behavior was different than 2.3. 2.4 would never read the password from stdin, resulting in a vault password error like: ERROR! Attempting to decrypt but no vault secrets found Fix is just to always call the interactive password prompts based on getpass.getpass() on --ask-vault-pass or --vault-id @prompt and let getpass sort it out. * up test_prompt_no_tty to expect prompt with no tty We do call the PromptSecret class if there is no tty, but we are back to expecting it to read from stdin in that case. * Fix logic for when to auto-prompt vault pass If --ask-vault-pass is used, then pretty much always prompt. If it is not used, then prompt if there are no other vault ids provided and 'auto_prompt==True'. Fixes vagrant bug hashicorp/vagrant#9033 Fixes #30993 (cherry picked from commit 86dc3c0)
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
The ansible provisioner not longer prompts for the vault password when using ansible
2.4.0.0
withask_vault_pass
set totrue
.Vagrant exits with the error:
After some googleing I found this stackoverflow post.
Tested using vagrant version
1.9.1
,1.9.5
and2.0.0
.Host OS:
Ubuntu 16.04
Kernel:
4.10.0-35-generic
Guest OS:
ubuntu/xenial64
Expected Behaviour:
Vagrant should prompt the user for the vault password.
Actual Behaviour:
Vagrant doesn't prompt the user and exits.
Vagrant File
The text was updated successfully, but these errors were encountered: