Decryption failed (no vault secrets would found that could decrypt)

Question

UPDATED:

I have organized my configs into a role based directory structure. Some of those roles have default variable files that have encrypted text. Here's a simplified and tested task list that fails:

---
- name: 'Include some additional variables'
  include_vars:
    dir: "{{playbook_dir}}/roles/foo/defaults/vars"
  tags: 'debug'

- name: 'Debug: display the variables'
  debug:
    msg: "{{item}}"
  with_items:
    - "{{encrypted_text_from_yml_file}}"
  tags: 'debug'

- name: 'Deploy Foo plugins'
  block:
    - name: 'Transfer the folder to the application directory'
      synchronize:
        src: 'some_src_folder'
        dest: "{{some_unencrypted_text_from_another_yml_file}}"
        archive: false
        recursive: true
  tags: 'debug'

I'm seeing the following error, however, when executing my playbook:

TASK [<some_app> : Transfer the <some_folder> folder to the application directory] **********************************************************************************
fatal: [<some_hostname>]: FAILED! => {"failed": true, "msg": "Decryption failed (no vault secrets would found t
hat could decrypt)"}

My credentials are being retrieved from a password file.

I tossed a debug task right after the variable include and all my variables that were encrypted displayed. The weird thing is the block of tasks where the exception is occurring is using a synchronize module. No variables from the vault are even being used...

Any idea how to troubleshoot this? I increased the verbosity up to -vvvv and didn't see anything obvious.

Using: ansible 2.4.0.0

Answer 1

An edge case, but still a possible reason for this error, at least in Ansible Tower, could be if you have deleted the credential used in the play from the credentials(menu), but did not update the play, Ansible will still try to use it, because it hasn't been removed from the play.

Answer 2

In my case the error was caused by special characters. The decryption worked on my dev machine (arch linux) but failed when running on my ci machine (Gitlab). I've injected the password as secret variable but as the password contained a $ apparently the decryption did not work.

After changing the password by removing all special characters, re-key the vault and encrypted strings with the new password, the problem was gone and the ci could successfully decrypt the vault.

Answer 3

I had the same issue using molecule test command. I have tried to run the playbook with --ask-vault-pass and it worked so I was thinking that the problem come from the python version or molecule but for my case it was just the name of my vault-password-file .vault which is listed in .gitignore file. As soon I changed changed the name it worked fine.

Answer 4

I figured out the issue. I accidentally truncated an encrypted string in group_vars/all. Using -vvvvv (note the 5th v) actually helped reveal an HMAC issue.