Decryption failed (no vault secrets would found that could decrypt)

Question

UPDATED:

I have organized my configs into a role based directory structure. Some of those roles have default variable files that have encrypted text. Here's a simplified and tested task list that fails:

---
- name: 'Include some additional variables'
  include_vars:
    dir: "{{playbook_dir}}/roles/foo/defaults/vars"
  tags: 'debug'

- name: 'Debug: display the variables'
  debug:
    msg: "{{item}}"
  with_items:
    - "{{encrypted_text_from_yml_file}}"
  tags: 'debug'

- name: 'Deploy Foo plugins'
  block:
    - name: 'Transfer the folder to the application directory'
      synchronize:
        src: 'some_src_folder'
        dest: "{{some_unencrypted_text_from_another_yml_file}}"
        archive: false
        recursive: true
  tags: 'debug'

I'm seeing the following error, however, when executing my playbook:

TASK [<some_app> : Transfer the <some_folder> folder to the application directory] **********************************************************************************
fatal: [<some_hostname>]: FAILED! => {"failed": true, "msg": "Decryption failed (no vault secrets would found t
hat could decrypt)"}

My credentials are being retrieved from a password file.

I tossed a debug task right after the variable include and all my variables that were encrypted displayed. The weird thing is the block of tasks where the exception is occurring is using a synchronize module. No variables from the vault are even being used...

Any idea how to troubleshoot this? I increased the verbosity up to -vvvv and didn't see anything obvious.

Using: ansible 2.4.0.0

Answer 1

I figured out the issue. I accidentally truncated an encrypted string in group_vars/all. Using -vvvvv (note the 5th v) actually helped reveal an HMAC issue.

Answer 2

In my case the error was caused by special characters. The decryption worked on my dev machine (arch linux) but failed when running on my ci machine (Gitlab). I've injected the password as secret variable but as the password contained a $ apparently the decryption did not work.

After changing the password by removing all special characters, re-key the vault and encrypted strings with the new password, the problem was gone and the ci could successfully decrypt the vault.