Ansible - Resolve "ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode object has no attribute split"

Let's say you use the ansible-vault create command to create a file named locker.yml that contains the following.

test_password itsasecret
prod_password hGn4!kD98A

 

And then you have a playbook that decrypts locker.yml, like this.

---
- hosts: localhost
  vars:
    passwords: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          66303833643731313633343266616162613965636161313534376563383639646463376630626635
          3136316663626536303061333531303234616562323637330a373633393736393863373566623261
          65643764336263613730666665663763383063386137383331386136366232666637626566653032
          3933393061666138650a656238386665343838613833643435623932306539633138376533613039
          6531
  tasks:
    - name: display the content of the 'passwords' variable
      debug:
        var: passwords
...

 

Something like this should be returned.

TASK [display the content of the 'passwords' variable]
ok: [localhost] => {
    "vault": "test_password itsasecret\nprod_password hGn4!kD98A"
}

 

However, if you try to split the content of the "passwords" variable.

- name: display the content of the 'passwords' variable
  debug:
    msg: "{{ passwords.split() }}"

 

The following fatal error should be returned.

TASK [display the content of the 'passwords' variable]
fatal: [localhost]: FAILED! => {"msg": "
The task includes an option with an undefined variable.
The error was: 'ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode object' has no attribute 'split'\n\n
The error appears to be in '/usr/local/ansible/testing.yml': line 17, column 7, but may be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: display the contents of the 'passwords' variable
        ^ here

 

This occurs because the object type of the "passwords" variable is AnsibleVaultEncryptedUnicode, which can be seen in the error message, or with the type_debug filter, and the split filter cannot be used on object type AnsibleVaultEncryptedUnicode. To resolve this, the set_fact module and string filter can be used to convert the "passwords" variable from AnsibleVaultEncryptedUnicode to AnsibleUnsafeText.

- name: convert the 'passwords' variable from AnsibleVaultEncryptedUnicode to AnsibleUnsafeText
  set_fact:
    passwords: "{{ passwords | string }}"

 

Now the "passwords" variable can be split.

- name: display the content of the 'passwords' variable
  debug:
    msg: "{{ passwords.split() }}"

 

Now the following should be returned.

TASK [display vault.yml]
ok: [localhost] => {
    "msg": [
        "test_password itsasecret",
        "prod_password hGn4!kD98A"
    ]
}

 

And here is how you would create variables containing the test password and prod password.

- set_fact:
    dev_password: "{{ passwords.split('\n')[0].split(' ')[1] }}"

- set_fact:
    prod_password: "{{ passwords.split('\n')[1].split(' ')[1] }}"

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter 32beb in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |