Error decryption failed no vault secrets were found that could decrypt

The ‘ansible-inventory’ failures I mentioned may be a different bug related to ansible-inventory’s use of json/yaml decoders that dont grok vaulted vars.

If that is the case, then it seems to be related to #31141 and #31946

If I disable all the ‘friendly’ top level exception handling so I can get a full traceback,
the ‘ansible-inventory -i hosts —list’ as run against the ‘hosts’ from https://github.com/alikins/ansible-bug-repro/tree/master/vault_sync_decrypt_fail_31620 fails like:

ERROR! Attempting to decrypt but no vault secrets found
Traceback (most recent call last):
  File "/home/adrian/src/ansible/bin/ansible-inventory", line 118, in <module>
    exit_code = cli.run()
  File "/home/adrian/src/ansible/lib/ansible/cli/inventory.py", line 178, in run
    results = self.dump(results)
  File "/home/adrian/src/ansible/lib/ansible/cli/inventory.py", line 195, in dump
    results = jsonify(stuff, sort_keys=True, indent=4)
  File "/home/adrian/src/ansible/lib/ansible/module_utils/basic.py", line 784, in jsonify
    return json.dumps(data, encoding=encoding, default=_json_encode_fallback, **kwargs)
  File "/usr/lib64/python2.7/json/__init__.py", line 251, in dumps
    sort_keys=sort_keys, **kw).encode(obj)
  File "/usr/lib64/python2.7/json/encoder.py", line 209, in encode
    chunks = list(chunks)
  File "/usr/lib64/python2.7/json/encoder.py", line 434, in _iterencode
    for chunk in _iterencode_dict(o, _current_indent_level):
  File "/usr/lib64/python2.7/json/encoder.py", line 408, in _iterencode_dict
    for chunk in chunks:
  File "/usr/lib64/python2.7/json/encoder.py", line 408, in _iterencode_dict
    for chunk in chunks:
  File "/usr/lib64/python2.7/json/encoder.py", line 408, in _iterencode_dict
    for chunk in chunks:
  File "/usr/lib64/python2.7/json/encoder.py", line 408, in _iterencode_dict
    for chunk in chunks:
  File "/usr/lib64/python2.7/json/encoder.py", line 442, in _iterencode
    o = _default(o)
  File "/home/adrian/src/ansible/lib/ansible/module_utils/basic.py", line 778, in _json_encode_fallback
    raise TypeError("Cannot json serialize %s" % to_native(obj))
  File "/home/adrian/src/ansible/lib/ansible/module_utils/_text.py", line 149, in to_bytes
    value = str(obj)
  File "/home/adrian/src/ansible/lib/ansible/parsing/yaml/objects.py", line 131, in __str__
    return str(self.data)
  File "/home/adrian/src/ansible/lib/ansible/parsing/yaml/objects.py", line 107, in data
    return self.vault.decrypt(self._ciphertext).decode()
  File "/home/adrian/src/ansible/lib/ansible/parsing/vault/__init__.py", line 660, in decrypt
    plaintext, vault_id = self.decrypt_and_get_vault_id(vaulttext, filename=filename)
  File "/home/adrian/src/ansible/lib/ansible/parsing/vault/__init__.py", line 698, in decrypt_and_get_vault_id
    raise AnsibleVaultError('Attempting to decrypt but no vault secrets found')
ansible.parsing.vault.AnsibleVaultError: Attempting to decrypt but no vault secrets found

Stuck with the Ansible Error: Decryption Failed? We can help you.

It frustrates us to get an error when we try to run an ansible-playbook.

As part of our Server Management Services, we assist our customers with several Ansible queries.

Today, let us see how we can fix this error.

Ansible Error: Decryption Failed

Recently, we had a customer who came across the following error:

fatal: [server1.lab.com]: FAILED! => {“msg”: “Decryption failed (no vault secrets were found that could decrypt) on /home/bobcares/ansible/encrypted_data.txt”}

fatal: [server1.lab.com]: FAILED! => {“msg”: “A vault password or secret must be specified to decrypt /home/bobcares/ansible/Bobcares/encrypted_data.txt”}

With Ansible Vault, we can encrypt files rather than leaving them visible as plaintext in playbooks.

Generally, we use it on sensitive information like passwords, SSL private keys, etc.

By default, to encrypt data, the Ansible vault uses the AES256 algorithm.

File before encryption :

$> cat encrypted_data.txt
This is an encrypted data

Encryption using Ansible Vault :

$ ansible-vault encrypt encrypted_data.txt
New Vault password:
Confirm New Vault password:
Encryption successful

After Encryption :

$ > cat encrypted_data.txt
$ANSIBLE_VAULT;1.1;AES256
30613332366266623564636132643536646265316132636439326535613939333061376337666433
3831313731303866643765313962323065346565613937650a396162373436306363383934643464
32393037346666303036306365396139383832383632373235323432666638366335623163363539
3530363234656536620a356138366536643164353462613138333664363134303533326566636232
32623530373362396231613230653939393865323639633966616530346261653863

Now it is safe to include as a parameter in the ansible-playbook.

In addition, we need to provide a decryption password when we run the ansible-playbook which contains a file encrypted with ansible vault.

Cause and Fix to the error

Moving ahead, let us see the cause and how our Support Techs fix this error.

Generally, we come across this error because the decryption password we provide to ansible is incorrect.

For example, consider a playbook for the encrypted_data.txt file which we used ansible vault to encrypt and copy over to a target machine after decryption.

vault.yml :

– hosts: server1.lab.com
tasks:
– name: Copying Encrypted file to target machine and decrypting
copy:
src: encrypted_data.txt
dest: /home/decrypted_data.txt

If we try to run the playbook directly like this:

ansible-playbook vault.yml

This will eventually end up in an error.

So, we have to provide the decryption password to the playbook, either as a prompt to the terminal or as a vault file.

ansible-playbook vault.yml –ask-vault-pass ## To prompt for vault password

ansible-playbook vault.yml –vault-password-file /home/bobcares/private/vault_pass.txt ## To automatically read the vault password

We use a convenient way to pass the vault password. The error disappears once we provide the correct password to the ansible controller.

[Need help with the fix? We’d be happy to assist]

Conclusion

To conclude, an incorrect decryption password can lead us to this error. Today, we saw how our Support Techs fix this error for our customers.

var google_conversion_label = «owonCMyG5nEQ0aD71QM»;

Error decryption failed no vault secrets were found that could decrypt

Let’s say you have a playbook that uses the file module to create /tmp/foo.txt on your managed nodes.

You attempt to run this playbook.

And ERROR! Attempting to decrypt but no vault secrets found is returned.

This error can occur when you have a file in the group_vars directory that has been encrypted by the ansible-vault create or ansible-vault edit or ansible-vault encrypt command. For example, let’s say the /usr/local/ansible/group_vars/all/foo.txt file has been encrypted.

In this scenario, it usually a good idea to first ensure the file was encrypted. If so, something like this should be returned.

Then see if you can decrypt the file using the ansible-vault view command.

You will be prompted to for the vault password.

After providing the valid vault password, the content of the encrypted file will be displayed.

If you are able to decrypt the file, one option would be to use the —ask-vault-pass command line flag so that you are prompted for the vault password.

Or, you could create a hidden file that contains the password, such as .vault_password.txt, and then use the —vault-password-file or —vault-id option on the command line.

Did you find this article helpful?

If so, consider buying me a coffee over at

Источник

Ansible Error: Decryption Failed – How to fix it quickly

by Nicky Mathew | Jul 5, 2021

Stuck with the Ansible Error: Decryption Failed? We can help you.

It frustrates us to get an error when we try to run an ansible-playbook.

As part of our Server Management Services, we assist our customers with several Ansible queries.

Today, let us see how we can fix this error.

Ansible Error: Decryption Failed

Recently, we had a customer who came across the following error:

With Ansible Vault, we can encrypt files rather than leaving them visible as plaintext in playbooks.

Generally, we use it on sensitive information like passwords, SSL private keys, etc.

By default, to encrypt data, the Ansible vault uses the AES256 algorithm.

File before encryption :

Encryption using Ansible Vault :

Now it is safe to include as a parameter in the ansible-playbook.

In addition, we need to provide a decryption password when we run the ansible-playbook which contains a file encrypted with ansible vault.

Cause and Fix to the error

Moving ahead, let us see the cause and how our Support Techs fix this error.

Generally, we come across this error because the decryption password we provide to ansible is incorrect.

For example, consider a playbook for the encrypted_data.txt file which we used ansible vault to encrypt and copy over to a target machine after decryption.

If we try to run the playbook directly like this:

This will eventually end up in an error.

So, we have to provide the decryption password to the playbook, either as a prompt to the terminal or as a vault file.

We use a convenient way to pass the vault password. The error disappears once we provide the correct password to the ansible controller.

[Need help with the fix? We’d be happy to assist]

Conclusion

To conclude, an incorrect decryption password can lead us to this error. Today, we saw how our Support Techs fix this error for our customers.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

Источник

Ansible troubleshooting — Attempting to decrypt but no vault secrets found

How to solve the error attempting to decrypt but no vault secrets found when using an Ansible Vault to store sensitive password content.

Please enable JavaScript

Today we’re going to talk about Ansible troubleshooting, specifically about the attempt to decrypt but no vault secrets found error. I’m Luca Berton and welcome to today’s episode of Ansible Pilot

The Best Resources For Ansible

Video Course

Printed Book

eBooks

Live demo of Ansible Vault in Playbook problem and fix the error:

The best way of talking about Ansible troubleshooting is to jump in a live demo to show you practically the connection failed error and how to solve it!

Every time we would like to use Ansible Vault to store our sensitive information (passwords, access keys, configuration, etc/) encrypted, we need to specify a password for the decryption of the file. The screen error simply reminds us that the password is incorrect or not specified. The solution is relatively easy once you understand the underlying Ansible Vault concept.

error execution

fix execution

We need to specify the —ask-vault-password or —vault-password-file option of the ansible-playbook tool when using Ansible Vault file.

Recap

Now you know better how to troubleshoot the Ansible error: attempting to decrypt but no vault secrets found.

Subscribe to the YouTube channel, Medium, Website, Twitter, and Substack to not miss the next episode of the Ansible Pilot.

Academy

Learn the Ansible automation technology with some real-life examples in my

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

Donate

Want to keep this project going? Please donate

Источник

Ansible: Decryption failed (‘no vault secrets would found that could decrypt)

ISSUE TYPE

COMPONENT NAME

ANSIBLE VERSION

CONFIGURATION

OS / ENVIRONMENT

SUMMARY

I have organized my configs into a role based directory structure. Some of those roles have default variable files that have encrypted text. Here’s a simplified and tested task list from one that is failing:

STEPS TO REPRODUCE

1.) Setup a sample role
2.) In that sample role, create a defaults/var/
3.) Use the code above. Might require some minor edits.
4.) Configure passwords to be read from file
5.) Run the playbook

EXPECTED RESULTS

The playbook should have transferred the files to the remote server.

ACTUAL RESULTS

I’m also facing this issue with synchronize and the src has no encrypted data.

I see the following error message:

Tried to use the vault secret (default) to decrypt (None) but it failed. Error: HMAC verification failed: Signature did not match digest.

I am facing the same error when I try to edit my file:

I could not understand what causes this error or how it was resolved. Should this issue be reopened?

I’m also facing this issue with synchronize and the src has no encrypted data.

Re-open as per #36408

FYI, issue was closed by reporter, no reason given.

The message indicates that none of the ‘secrets provided’ were able to be used to decrypt the vaults, we would need a reproducer to see if this is a bug or not.

@bcoca Yes. @ivan046 Could you please provide playbook and -vvvv output for reproducing this issue ?

@Akasurde of course! here:

playbook file:
«`- name: Monitoring for TechGC servers
hosts: all
remote_user: ubuntu
become: yes
gather_facts: false
roles:
— monitoring/nrpe

• name: copy nrpe configuration data
  synchronize:
  src: «<< role_path >>/files/conf/»
  dest: /techgc/nrpe/conf/
  recursive: yes
  archive: no
  links: yes
  mode: push
  tags:
  • monitoring

env_prefix: prod
mms_group_id: !vault |
$ANSIBLE_VAULT;1.1;AES256
64343937323766643031346561636661393763393935333439323864333837656266663865386637
3333616330306664393733653431393862666665663339380a656330376237303236346462366266
35386565353138373130313965346133656534326330633438303962333439383564626133303136
«`
Setup (gather_facts) and other tasks in the role (‘docker_container’ & ‘file’ modules) show now errors, so I left only the task with the issue. In the output (attached file) there can be seen that task fails for the servers from the group having variable with vaulted value in group_vars but shows no errors for the servers from another group.
ansible.tar.gz
output.txt

I just saw this error pop up with someone I was [tmux] screen-sharing with today. We verified over and over that we were using the same password; sure enough, it’s repeatable.

RHEL 7.4, 3.10.0-693.11.1
ansible 2.4.2.0
python version = 2.7.5 (default, May 3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)]

It seems to be a text encoding problem with Microsoft WSL in our case. I verified via tmux that it’s repeatable both with putty and WSL bash from at least one location. Will troubleshoot more ASAP.

@harrytruman you talk about absolutely different issue there. This thread is about the problem in some modules that try to load and use all group_vars including vaulted but not only the vars they need. This causes error executing playbook that forces user to set ‘—ask-vault-pass’ (or another bay to provide vault password) even for playbooks and roles that contain no vaulted data. That’s the pain.

And you are talking about misbehaviour related with Linux/Windows incompatible encoding during SSH sessions. Please create a separate thread for it.

@ivan046 My results are identical to @paulcalabro, @AyushyaChitransh, and @stanchan.

ENV: Windows 10 running Windows Subsystem Linux (WSL)
DESTINATION Hosts: RHEL 6.9/7.4

@harrytruman I have found these steps reproduce the issue, the encrypt/decrypted value is still in my vault but when its embedded in the playbook after I close the session, Ansible loses some context of the variable.

1. Run ansible-vault encrypt_string test
2. Save the variable to a playbook vars file just like @ivan046 example for mms_group_id
3. Run the playbook
4. Completes with no issues
5. Close WSL
6. Reopen WSL
7. Run playbook on another destination, an error occurs «Decryption failed (no vault secrets would found that could decrypt)»
8. ansible-vault decrypt ‘$ANSIBLE_VAULT;1.1;AES256. ‘
9. test is displayed as the result

@whytoe Are you accessing a cloned repo directly or are you reading from a Windows folder (/mnt/c/. )? Based on colleague input, this is potentially a known issue under that circumstance — let me know if this plays into what you’re experiencing as well.

We are having the same issue. We use ansible-vault directly. Files are encrypted locally on MacOS. Jenkins cannot decrypt them. The Jenkins agent runs as a Ubuntu 16.04 Docker container. Ansible version is 2.4.3.0 in both cases.

FWIW, a file encrypted in the Ubuntu container can be successfully decrypted again. Files encrypted on MacOS cannot.

Also happens when I encrypt a file in the Ubuntu container and try to decrypt it on MacOS.

So it seems we have several issues, none of them clearly the original of this ticket:

• one seems to be purely WSL based
• one is ‘author on osX and deploy on ubuntu’ , probably due to encoding differences, encodings need to be the same
• Another is ‘vaults in group vars are always open’, this is not a bug, this is how Ansible works and won’t change, as Ansible CANNOT know w/o decrypting the vault if it needs the values inside the vault. If you want to ONLY decrypt vaults for certain plays, don’t put them in host_vars/group_vars.

As such I’m going to close this ticket and ask that those with the 2 first problems outlined above each open their own ticket.

@bcoca You are not right about the 3th issue:

— Another is ‘vaults in group vars are always open’, this is not a bug, this is how Ansible works and won’t change, as Ansible CANNOT know w/o decrypting the vault if it needs the values inside the vault. If you want to ONLY decrypt vaults for certain plays, don’t put them in host_vars/group_vars.

As you can see, I’m talking not about vaulted files in inventory (ansible always should try to decrypt and load them which is not possible without providing password or password-file) but about variables with vaulted values. As i’ve mentioned above I’ve included only task using ‘synchronize’ module in the role ‘monitoring’,
because other tasks in the role such as ones using ‘docker_container’ & ‘file’ or ‘setup’ modules show no errors, and ansible play stops with the error only at ‘synchronize’ task!
Usual ansible behaviour is to check variable when task asks about it (and show error if it’s not defined or contains non-proper data or format).
So all the playbook and roles with tasks don’t show error if there is a variable with vaulted value in ‘group_vars’ which they don’t use, but ‘synchronize’ shows error FAILED! => <«msg»: «Decryption failed (no vault secrets would found that could decrypt)»>about that variable even if it is not needed for that role! Sorry but it’s not ansible usual behaviour. Tell me if i’m not right. Thank you in advance!

@ivan046 i had read only your last post, yes, that seems like a bug, but you are mistaken about ‘some modules’ .. NO module does any templating, it always gets done on the controller side BEFORE calling the modules themselves. Still it is different problem from the others even if the error message is the same.

@ivan046 @unguiculus @stanchan @paulcalabro

For that particular error message, there is even more verbosity output available at -vvvv and -vvvvv verbosity levels. That should include which file is trying to be decrypted.

(the value of the vault passwords themselves are not show at these levels. )

If anyone wants to add a reproducer test case to test/integration/targets/vault/ that would be excellent.

@alikins even with ‘-vvvvv’ it just gives

without any additional info.

• ansible-playbook fails on stable-2.4
• ansible-inventory fails on stable-2.4
• ansible-playbook works on devel/
• ansible-inventory fails on devel/

Using above repro case with stable-2.4 branch with ansible-playbook and ansible-inventory
(https://gist.github.com/alikins/55f38059de4f09e56f7614a17f764394)
(https://gist.github.com/alikins/0425df18372b96a53d3b9495398f2151 for output with ANSIBLE_DEBUGGING=1 enabled)

On devel/, ‘ansible-playbook’ works. But ‘ansible-inventory -i hosts’ fails with a similar error.
(https://gist.github.com/alikins/36253155059427cd7d658094a6ea8c96 gist with ANSIBLE_DEBUG=1 and -vvvvv for working ‘ansible-playbook’ and failing ‘ansible-inventory’

(referring to files/hosts as in https://github.com/alikins/ansible-bug-repro/tree/master/vault_sync_decrypt_fail_31620 here)

With ansible-playbook in stable-2.4 and ansible-inventory in 2.4 and devel, something[1] is trying to read/decrypt the encrypted ‘mms_group_id’ var defined in group_vars/some_group
and failing.

The encryption fails because either there is no vault password secret («Attempting to decrypt but no vault secrets found») or there are vault passwords but not the correct one («Decryption failed (no vault secrets would found that could decrypt)» (sic))

Some notes about that:

• Seems like synchronize action ends running the VarsPlugins. Not sure yet if that is normal.
• The VarsPlugins and presumably the decryption appears to be happening in a worker process

For this particular repro, I don’t see an obvious reason ansible-playbook is trying to decrypt that ‘mms_group_id’ var.

@alikins Wow, that’s a really cool example of how to test, thank you! So it’s a real bug and we have to wait until it is fixed. Until then I’ll use — include_vars: «../vaulted/ >.yml» task inside the role that needs that vars. It’s the only way i’ve found to bypass that issue. The ../vaulted/ directory is outside the inventory directory.

Running git-bisect between devel and stable-2.5 points to dae737c8b714f2c6d28663ef0afeab10e6d3a667 as the commit that fixed ansible-playbook in devel

Note: dae737c was a fix for https://github.com/ansible/ansible/issues/33259 but is apparently causing other problems.

The ‘ansible-inventory’ failures I mentioned may be a different bug related to ansible-inventory’s use of json/yaml decoders that dont grok vaulted vars.

If I disable all the ‘friendly’ top level exception handling so I can get a full traceback,
the ‘ansible-inventory -i hosts —list’ as run against the ‘hosts’ from https://github.com/alikins/ansible-bug-repro/tree/master/vault_sync_decrypt_fail_31620 fails like:

(another vaguely related bug for reference purposes: https://github.com/ansible/ansible/issues/22737) — Vault variables undefined when using delegate_to

poking at a stable-2.5 with the repro test case and some logging turned on and using stack_info just before the vault error is raised gets me: https://gist.github.com/alikins/3f8611e907c82a5508178515c4d432de

• The «Attempting to decrypt but no vault secrets found» error is coming from an attempt to decrypt vaulted variables in a task worker process and not the main process.
• The ‘synchronize’ action is involved
• The synchronize action is requesting dest host inventory vars which seems to lead to the decrypt attempt https://gist.github.com/alikins/3f8611e907c82a5508178515c4d432de#file-gistfile1-txt-L49-L50

lib/ansible/vars/hostvars.py», line 89 calls to_bytes() on the data which leads to yaml calling the repr() on the vaulted string which attempts to decrypt it.

Not sure if there is anything that is expecting to catch a vault error there and suspect it is just bubbling back to worker process top level (and back across mp queue to main process?)
File «/home/adrian/src/ansible/lib/ansible/plugins/action/synchronize.py», line 216, in run dest_host_inventory_vars = task_vars[‘hostvars’].get(inventory_hostname)

@ivan046 @alikins please open a separate issue as this one has been hijacked and has different and unrelated problems in it.

@alikins https://github.com/ansible/ansible/issues/31620#issuecomment-369994283 Can you do it? I’m confused with too much data you put there already.

Is there any news on this issue? I am receiving the HMAC issue as well, and I have tried numerous permutations of the problem. I have:

• encrypted the strings on OS X and Ubuntu
• used different passwords
• tried encrypting a whole file, or just encrypting single values

and I always receive: «Decryption failed (no vault secrets would found that could decrypt)»

I couldn’t find a new issue that references this.

I also received this error message today:

Problem was solved when I added a —ask-vault-pass command line option. And entered a vault’s password when it was requested.

Here is what worked for my setup.

for the — ERROR! Attempting to decrypt but no vault secrets found

If you embed your secret vault password configuration in your ansible.cfg file with

default_vault_password_file = /path-to-/secret-vault-password-file ( this secret-vault-password-file should not be in a Git and not accessible to the average user on the system)

The above message will suddenly start appearing, this is because the format appears to have changed in the newer version of ansible.cfg. This is usually caused by a new install of Ansible or apt install upgrade.

For the FIX change this to
vault_password_file = /path-to-/secret-vault-password-file

This resolved the problem and is a solution if you have a single secret-vault-password-file. Since we have multiple ansible versions on different systems, it was necessary to have both lines in the ansible.cfg

default_vault_password_file = /path-to-/secret-vault-password-file
vault_password_file = /path-to-/secret-vault-password-file

This does work, as the older versions use the older format and the newer versions use the new format of what is in the ansible.cfg file

If someone has a solution for using multiple secret-vault-password-files — please do share.

I can confirm this bug.

I ran my playbook with —vault-password-file=vault and got

Decryption failed (no vault secrets would found that could decrypt)

If I ran the same playbook with —ask-vault-pass everything goes fine.

I’ve found the opposite to be true here, —ask-vault-pass was giving me the error, where as setting this in the ansible.cfg file, allowed the decryption

ansible-playbook 2.5.5 config file = /Users/amehar/Library/Mobile Documents/com

CloudDocs/Documents/git/homeinfra/playbooks/ansible.cfg configured module search path = [u’/Users/amehar/.ansible/plugins/modules’, u’/usr/share/ansible/plugins/modules’] ansible python module location = /usr/local/lib/python2.7/site-packages/ansible executable location = /usr/local/bin/ansible-playbook python version = 2.7.15 (default, Oct 2 2018, 11:47:18) [GCC 4.2.1 Compatible Apple LLVM 10.0.0 (clang-1000.11.45.2)] Using /Users/amehar/Library/Mobile Documents/com

CloudDocs/Documents/git/homeinfra/playbooks/ansible.cfg as config file statically imported: /Users/amehar/Library/Mobile Documents/com

CloudDocs/Documents/git/homeinfra/playbooks/roles/common/tasks/centos.yaml statically imported: /Users/amehar/Library/Mobile Documents/com

Still not working. I have encoded it on my Ubuntu 16.04 with Ansible 2.6.4 and my colleague tried to decrypt it Ansible 2.6.4 with Ubuntu 18.04 and it’s still not working .

Источник

Ansible — Resolve «Attempting to decrypt but no vault secrets found»

Let’s say you have a playbook that uses the file module to create /tmp/foo.txt on your managed nodes.

---
- hosts: all
  tasks:
  - file:
      path: /tmp/foo.txt
      state: touch
...

You attempt to run this playbook.

ansible-playbook foo.yml

And ERROR! Attempting to decrypt but no vault secrets found is returned.

PLAY [all]
ERROR! Attempting to decrypt but no vault secrets found

This error can occur when you have a file in the group_vars directory that has been encrypted by the ansible-vault create or ansible-vault edit or ansible-vault encrypt command. For example, let’s say the /usr/local/ansible/group_vars/all/foo.txt file has been encrypted.

/usr/local/ansible/foo.yml
/usr/local/ansible/group_vars/all/foo.txt

In this scenario, it usually a good idea to first ensure the file was encrypted. If so, something like this should be returned.

~]$ cat foo.txt
$ANSIBLE_VAULT;1.2;AES256;test
38626262613533326438383838363032346366643231633838393661633061633830383832643062
6666663233666435636165323038653462343732343264310a616532376238616537613832363565
63336561303230626332326436303830356335343061386333636131386435316633396464353832
3631303831333164610a393266346630313635313831626639303961663330333736393236373032
3062

Then see if you can decrypt the file using the ansible-vault view command.

ansible-vault view foo.txt

You will be prompted to for the vault password.

Vault password:

After providing the valid vault password, the content of the encrypted file will be displayed.

Hello World

If you are able to decrypt the file, one option would be to use the —ask-vault-pass command line flag so that you are prompted for the vault password.

~]# ansible-playbook foo.yml --ask-vault-pass
Vault password:

Or, you could create a hidden file that contains the password, such as .vault_password.txt, and then use the —vault-password-file or —vault-id option on the command line.

ansible-playbook foo.yml --vault-password-file group_vars/all/.vault_password.txt

Did you find this article helpful?

If so, consider buying me a coffee over at

I inherited an Ansible project when someone quit some time ago. The main book configures a newly-minted Linux VM. Part of the process is that a user is created with a default initial password. We’re changing that default password but I’m damned if I can find where it is stored. The user creation simply refers to a variable who’s name appears nowhere in the Ansible file tree.

Suspicion falls on several role/xxx/vars/main.yml files which are all fully encrypted files (i.e., they immediately start with «$ANSIBLE_VAULT;1.1;AES256» and contain nothing else readable. I’m guessing that my mystery variable is defined in one of these files.

I was left a note of the «Ansible Vault Password» but when I try to use this on the command line with ansible-vault I get «ERROR! Decryption failed (no vault secrets were found that could decrypt)» errors.

However, the whole thing actually runs on an AWX box which appears to have no problem accessing the files.

Can I conclude that the password I have is definitely wrong or is there some way that AWX works which I am not duplicating when using the command line?

I assume that AWX will never tell me what password it is using to decrypt the files.

UPDATED:

I have organized my configs into a role based directory structure. Some of those roles have default variable files that have encrypted text. Here’s a simplified and tested task list that fails:

---
- name: 'Include some additional variables'
  include_vars:
    dir: "{{playbook_dir}}/roles/foo/defaults/vars"
  tags: 'debug'

- name: 'Debug: display the variables'
  debug:
    msg: "{{item}}"
  with_items:
    - "{{encrypted_text_from_yml_file}}"
  tags: 'debug'

- name: 'Deploy Foo plugins'
  block:
    - name: 'Transfer the folder to the application directory'
      synchronize:
        src: 'some_src_folder'
        dest: "{{some_unencrypted_text_from_another_yml_file}}"
        archive: false
        recursive: true
  tags: 'debug'

I’m seeing the following error, however, when executing my playbook:

TASK [<some_app> : Transfer the <some_folder> folder to the application directory] **********************************************************************************
fatal: [<some_hostname>]: FAILED! => {"failed": true, "msg": "Decryption failed (no vault secrets would found t
hat could decrypt)"}

My credentials are being retrieved from a password file.

I tossed a debug task right after the variable include and all my variables that were encrypted displayed. The weird thing is the block of tasks where the exception is occurring is using a synchronize module. No variables from the vault are even being used…

Any idea how to troubleshoot this? I increased the verbosity up to -vvvv and didn’t see anything obvious.

Using: ansible 2.4.0.0