Ansible vaulted variables with quotes in it

Question

I am using Ansible 2.4. I can't get following ansible-playbook to run:

test.yml

---
- hosts: "localhost"
  become: no

  vars:
    foo_withsinglequote: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          39313737636336313832376165636465346162366333663137373165363662316263336166393666
          3566643732663063386333303638633962363863306463610a643931396636613361353165653265
          38376630313939626637623538613432373336646663636563623062636238313731326263336263
          3138643931323662620a336534383964663562353162393930613965386465616630363335326138
          3431
    foo_withdoublequote: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          64633863363838326664323238313866616161313937323563636430326432393638336334303336
          3533653339663438356238613937336466623834666537630a646139643033653237353262616662
          30643732313861373130633036346361663130326332303932616433643761633739306137333237
          6263653365386132620a633738663336313532366637613533313361646339623137393461383363
          3332

  tasks:
   - name: Echo foo_withsinglequote
     command: echo "{{ foo_withsinglequote }}"
   - name: Echo foo_withdoublequote
     command: echo "{{ foo_withdoublequote }}"

To generate the vault variables I used following:

$ echo 123 > vlt.txt
$ ansible-vault --vault-password-file=vlt.txt encrypt_string "abc\"def"
$ ansible-vault --vault-password-file=vlt.txt encrypt_string "abc\'def"

To run the playbook:

$ ansible-playbook --vault-password-file=vlt.txt test.yml

This gives following error:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: No closing quotation

fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "module_stderr": "Traceback (most recent call last):\n File \"/tmp/ansible_8uz23O/ansible_module_command.py\", line 213, in \n main()\n File \"/tmp/ansible_8uz23O/ansible_module_command.py\", line 182, in main\n args = shlex.split(args)\n File \"/usr/lib/python2.7/shlex.py\", line 279, in split\n return list(lex)\n File \"/usr/lib/python2.7/shlex.py\", line 269, in next\n token = self.get_token()\n File \"/usr/lib/python2.7/shlex.py\", line 96, in get_token\n raw = self.read_token()\n File \"/usr/lib/python2.7/shlex.py\", line 172, in read_token\n raise ValueError, \"No closing quotation\"\nValueError: No closing quotation\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 0}

How can I quote the vaulted variables correctly? Because I don't know in advance, if the vaulted variables will contain single or double quotes.

Answer 1

Your problem description, despite being well written, unfortunately wrongly attributes the problem to Ansible Vault.

In fact, the problem you reported, comes simply from trying to execute the task which effectively becomes:

- command: echo abc"def

Ansible Vault plays no role in causing this problem -- if you defined the variable directly with foo: abc\"def you'd get the same error message.

---

The solution is simply to quote the string in the echo command:

- command: echo '{{ foo }}'

---

Other than that you can use quote filter, but for Vault-protected variable you need to first set a static fact:

- set_fact:
    bar: "{{ foo }}"
- command: echo {{ bar|quote }}

---

^{Finally, the simplest solution to the underlying problem is: do not use special characters in passwords. Increase the length instead.}