Let's say you have a playbook that uses the file module to create /tmp/foo.txt on your managed nodes.
---
- hosts: all
tasks:
- file:
path: /tmp/foo.txt
state: touch
...
You attempt to run this playbook.
ansible-playbook foo.yml
And ERROR! Attempting to decrypt but no vault secrets found is returned.
PLAY [all]
ERROR! Attempting to decrypt but no vault secrets found
This error can occur when you have a file in the group_vars directory that has been encrypted by the ansible-vault create or ansible-vault edit or ansible-vault encrypt command. For example, let's say the /usr/local/ansible/group_vars/all/foo.txt file has been encrypted.
/usr/local/ansible/foo.yml
/usr/local/ansible/group_vars/all/foo.txt
In this scenario, it usually a good idea to first ensure the file was encrypted. If so, something like this should be returned.
~]$ cat foo.txt
$ANSIBLE_VAULT;1.2;AES256;test
38626262613533326438383838363032346366643231633838393661633061633830383832643062
6666663233666435636165323038653462343732343264310a616532376238616537613832363565
63336561303230626332326436303830356335343061386333636131386435316633396464353832
3631303831333164610a393266346630313635313831626639303961663330333736393236373032
3062
Then see if you can decrypt the file using the ansible-vault view command.
ansible-vault view foo.txt
You will be prompted to for the vault password.
Vault password:
After providing the valid vault password, the content of the encrypted file will be displayed.
Hello World
If you are able to decrypt the file, one option would be to use the --ask-vault-pass command line flag so that you are prompted for the vault password.
~]# ansible-playbook foo.yml --ask-vault-pass
Vault password:
Or, you could create a hidden file that contains the password, such as .vault_password.txt, and then use the --vault-password-file or --vault-id option on the command line.
ansible-playbook foo.yml --vault-password-file group_vars/all/.vault_password.txt
Did you find this article helpful?
If so, consider buying me a coffee over at