ansible vault encrypt string

Question

I'm trying to encrypt some password but would like to encrypt just part of the string instead of the whole file. So there is a command ansible-vault encrypt_string which provide you an encrypted output however when I'm adding it to my .yaml playbook it failed to decrypt.

command used for an encrypitng simple password:

ansible-vault encrypt_string 'Test123!' --name 'ansible_password'

result:

ansible_password: !vault | $ANSIBLE_VAULT;1.1;AES256 30333733643939646130396638646138636338636162316536313236666334656338306634353434 3132326265313639623039653261336265343733383730340a663565323932636138633365386332 36363534326263326633623238653464376637646632363839313464333830363436643561626534 6338613837393539350a383962663766373466376138376666393639373631313861663866333663 6137 Encryption successful

^

formatting is a little bit clunky with long strings

So I'm trying to put this value into my playbook like this:

---
- name: Copy needed files to target machine
  hosts: prod
  vars:
          ansible_user: test_admin
          ansible_password: !vault $ANSIBLE_VAULT;1.1;AES256;303337336439396461303966386461386363386361623165363132366663346563383066343534343132326265313639623039653261336265343733383730340a663565323932636138633365386332363635343262633266336232386534643766376466323638393134643338303634366435616265346338613837393539350a3839626637663734663761383766663936393736313138616638663336636137
          ansible_connection: winrm
          ansible_winrm_transport: credssp
          ansible_winrm_server_cert_validation: ignore


  tasks:
  - name: Copy test
    win_copy:
       src: /etc/winmachines/hosts
       dest: C:\test\

Then I want to execute playbook with command:

ansible-playbook copy.yaml -i hosts.ini

result:

PLAY [Copy needed files to target machine] ********************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************
fatal: [10.5.17.5]: FAILED! => {"msg": "Attempting to decrypt but no vault secrets found"}
        to retry, use: --limit @deleted

PLAY RECAP ****************************************************************************************************************************************
10.5.17.5                  : ok=0    changed=0    unreachable=0    failed=1

when i run playbook with parameter --ask-vault-password:

ansible-playbook copy.yaml -i hosts.ini --ask-vault-pass

PLAY [Copy needed files to target machine] ********************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************
 [WARNING]: There was a vault format error: Vault vaulttext format error: need more than 1 value to unpack

fatal: [10.5.17.5]: FAILED! => {"msg": "Vault vaulttext format error: need more than 1 value to unpack"}
        to retry, use: --limit @deleted

PLAY RECAP ****************************************************************************************************************************************
10.5.17.5                  : ok=0    changed=0    unreachable=0    failed=1

I have tried to put the output from encrypting in various ways but every time it fails due to this problem or syntax problem.

When Put in way delivered from the output I'm getting Syntax Error like this:

ERROR! Syntax Error while loading YAML.
  could not find expected ':'

The error appears to have been in : line 8, column 11, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

          $ANSIBLE_VAULT;1.1;AES256
          34323264326266303364656561616663306566356636616238623931613032343131643839336338
          ^ here

When everything is in the same line removed "|" got this error:

TASK [Gathering Facts] ****************************************************************************************************************************
fatal: [10.5.17.5]: FAILED! => {"msg": "AES256 343232643262663033646565616166633065663566366162386239316130323431316438393363383331346231343361386432666461646639386135666335380a373862336531613034393262653432313038303432636536313139353932356637343139393938666536383061383233613136643063353761386339323562640a3963306632393865613237666364386566623938356465336363613163646338 cipher could not be found"}

Any ideas?

Answer 1

Your format is incorrect. The format given by ansible-vault encrypt_string 'Test123!' --name 'ansible_password' is what you should use.

For reference, https://github.com/ansible/ansible/blob/devel/lib/ansible/parsing/vault/init.py#L153 . The vault parser is looking for $ANSIBLE_VAULT;1.1;AES256 (or similar; the vaulttext_envelope) to be on the first line as determined by splitlines(). Removing newlines breaks this expectation.

In the output of encrypt_string, the syntax is exactly correct to paste into your playbook. The | (pipe character) has a special meaning in yaml. It is a multi-line block that preserves newlines. It should be the last character on that line. Keep consistent indentation when using multi-line blocks. Because the remainder is joined on https://github.com/ansible/ansible/blob/devel/lib/ansible/parsing/vault/init.py#L165, you do not need to preserve new lines in the cyphertext itself.

That means any of the following should work:

ansible_password: !vault |
    $ANSIBLE_VAULT;1.1;AES256
    30333733643939646130396638646138636338636162316536313236666334656338306634353434
    3132326265313639623039653261336265343733383730340a663565323932636138633365386332
    36363534326263326633623238653464376637646632363839313464333830363436643561626534
    6338613837393539350a383962663766373466376138376666393639373631313861663866333663
    6137

ansible_password: !vault |
    $ANSIBLE_VAULT;1.1;AES256
    303337336439396461303966386461386363386361623165363132366663346563383066343534343132326265313639623039653261336265343733383730340a663565323932636138633365386332363635343262633266336232386534643766376466323638393134643338303634366435616265346338613837393539350a3839626637663734663761383766663936393736313138616638663336636137

ansible_password: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n303337336439396461303966386461386363386361623165363132366663346563383066343534343132326265313639623039653261336265343733383730340a663565323932636138633365386332363635343262633266336232386534643766376466323638393134643338303634366435616265346338613837393539350a3839626637663734663761383766663936393736313138616638663336636137"

note in the last example, I used no pipe and \r\n to be a newline.

Also reference: https://yaml-multiline.info/

Adding full example for clarity:

---
- name: Copy needed files to target machine
  hosts: prod
  vars:
    ansible_user: test_admin
    ansible_password: !vault |
      $ANSIBLE_VAULT;1.1;AES256;
      30333733643939646130396638646138636338636162316536313236666334656338306634353434
      30333733643939646130396638646138636338636162316536313236666334656338306634353434
      3132326265313639623039653261336265343733383730340a663565323932636138633365386332
      36363534326263326633623238653464376637646632363839313464333830363436643561626534
      6338613837393539350a383962663766373466376138376666393639373631313861663866333663
      6137
    
    ## Notice indentation above
    ## the block started with | will end when indentation changes.
    ansible_connection: winrm
    ansible_winrm_transport: credssp
    ansible_winrm_server_cert_validation: ignore

As an aside, pick tabs OR spaces but don't use both. I recommend spaces generally, but doubly so for python and yaml. If your editor/ide doesn't do syntax highlighting, you should switch to one that does. And get some kind of yaml linter. yamllint.com will work in the short run, but long run, you should get something automatic and built into your editor.