Let's say you use the ansible-vault create command to create a file named locker.yml that contains the following.
test_password itsasecret
prod_password hGn4!kD98A
And then you have a playbook that decrypts locker.yml, like this.
---
- hosts: localhost
vars:
passwords: !vault |
$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531
tasks:
- name: display the content of the 'passwords' variable
debug:
var: passwords
...
Something like this should be returned.
TASK [display the content of the 'passwords' variable]
ok: [localhost] => {
"vault": "test_password itsasecret\nprod_password hGn4!kD98A"
}
However, if you try to split the content of the "passwords" variable.
- name: display the content of the 'passwords' variable
debug:
msg: "{{ passwords.split() }}"
The following fatal error should be returned.
TASK [display the content of the 'passwords' variable]
fatal: [localhost]: FAILED! => {"msg": "
The task includes an option with an undefined variable.
The error was: 'ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode object' has no attribute 'split'\n\n
The error appears to be in '/usr/local/ansible/testing.yml': line 17, column 7, but may be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: display the contents of the 'passwords' variable
^ here
This occurs because the object type of the "passwords" variable is AnsibleVaultEncryptedUnicode, which can be seen in the error message, or with the type_debug filter, and the split filter cannot be used on object type AnsibleVaultEncryptedUnicode. To resolve this, the set_fact module and string filter can be used to convert the "passwords" variable from AnsibleVaultEncryptedUnicode to AnsibleUnsafeText.
- name: convert the 'passwords' variable from AnsibleVaultEncryptedUnicode to AnsibleUnsafeText
set_fact:
passwords: "{{ passwords | string }}"
Now the "passwords" variable can be split.
- name: display the content of the 'passwords' variable
debug:
msg: "{{ passwords.split() }}"
Now the following should be returned.
TASK [display vault.yml]
ok: [localhost] => {
"msg": [
"test_password itsasecret",
"prod_password hGn4!kD98A"
]
}
And here is how you would create variables containing the test password and prod password.
- set_fact:
dev_password: "{{ passwords.split('\n')[0].split(' ')[1] }}"
- set_fact:
prod_password: "{{ passwords.split('\n')[1].split(' ')[1] }}"
Did you find this article helpful?
If so, consider buying me a coffee over at