Score:1

Ansible-vault inline encrypted string throws error

cn flag

I'm having trouble with inline encrypted strings in Ansible/Ansible-vault.

I'm storing the Ansible Vault password in a file and have a local config file that declares it:

[defaults]
vault_password_file = ./my_vault_pass

As I already have a vault_password_file defined, I create my encrypted variable with the following command:

ansible-vault encrypt_string --stdin-name 'username'

When prompted, I enter the value I want encrypted and CTRL-D twice without pressing enter. I then take the output of that command and replace the variable definition with it.

My tasks/main.yml file ends up like this [redacted]

---
- name: Clone the template
  vmware_guest:
    hostname: 1.2.3.4
    username: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          63353665383934386565306639633734366666303465306364323761323938383433643133313933
          3939356663626465303465646265653731626463386261610a306361343436613030336639303533
          64613337326332353933313931303537653833623863343435623730316266643636373831363937
          6231643937376665620a326465343239643237366465353965376532336365346631653466623038
          35636135303233623733306632333833663535646230393335303261633535353636
    password: 'my_password'
    validate_certs: False
    name: testvm_2
    template: 'template-name'
    datacenter: DC1
    folder: /Test
    state: poweredon
    wait_for_ip_address: yes

However, with the username: change being the only change, I now get an error:

PLAY [localhost] *************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************
ok: [localhost]

TASK [common : Clone the template] *******************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "Unable to pass options to module, they must be JSON serializable: Object of type AnsibleVaultEncryptedUnicode is not JSON serializable"}

PLAY RECAP *******************************************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   
Score:0
cn flag

I seem to have found the solution to my own question:

It doesn't seem possible in Ansible to encrypt module variables. A workaround to this is to indirect the variable to a vars.yml file using the Jinja syntax described in Tips & Tricks.

i.e.

tasks.yml

    password: '{{ vault_password }}'

And then in vars.yml (I used vars/main.yml as I'm using the Best Practices for directory layout.

vault_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          30373438353463646433363433616631616434616237636432653530353330636236666332363661
          6565323338643139623737646431333332383432613962640a636537306139646539303762646166
          61363435643137363738656235613330663131613333656538323035666261336334383138663965
          6365356130346537300a363961623261653030363433353737386666306131336631343633396262
          6565
Zeitounator avatar
fr flag
`It doesn't seem possible in Ansible to encrypt module variables` <= I would have a lot of work to do in a very short time if this was true and a lot of our old playbooks would fail. This cannot be be source of your problem, there is someging you have missed. Ansible does a lot of magic when re-interpreting variables in chain like you did in your second try. I would bet this is what "fixed" the issue. Meanwhile, having encrypted vars in your inventory or seperate files is actually a good practice.
MattB avatar
cn flag
@Zeitounator Interesting, I was closing my own issue with the answer after chatting on the #ansible Freenode channle. As the workaround seemed to be effective I haven't pursued this further but I'll keep it in mind, thanks.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.