All geek questions in one place

Ansible Called by Vagrant Does Not Ask for Vault Password

Summary

I have a Vagrantfile providing a virtual virtual machine with Ansible. The Ansible download contains the Ansible Vault variable. My problem is that providing Vagrant does not ask for a password, although I am giving the opportunity to do so.

Minimal, complete example

Vagrantfile:

Vagrant.configure(2) do |config| config.vm.provider "virtualbox" do |vb| # Build a master VM for this box and clone it for individual VMs vb.linked_clone = true end config.vm.box = "bento/ubuntu-16.04" config.vm.hostname = "test-vm" config.vm.provision :ansible do |ansible| ansible.verbose = true ansible.playbook = "playbook.yml" ansible.ask_vault_pass = true # ansible.raw_arguments = --ask-vault-pass # ansible.raw_arguments = ["--vault-id", "@prompt"] # ansible.raw_arguments = ["--vault-id", " dev@prompt "] end end

playbook.yml:

 --- - name: Test hosts: all vars: foo: !vault | $ANSIBLE_VAULT;1.1;AES256 65306264626234353434613262613835353463346435343735396138336362643535656233393466 6331393337353837653239616331373463313665396431390a313338333735346237363435323066 66323435333331616639366536376639626636373038663233623861653363326431353764623665 3663636162366437650a383435666537626564393866643461393739393434346439346530336364 3639 tasks: - name: print foo value debug: msg: "foo -> {{ foo }}"

Password Ansible Vault abc .

When I call vagrant up first time I run a Vagrantfile or later vagrant provision , I do not receive the expected password prompt. Instead, the print foo value task prints a (red) message:

 fatal: [default]: FAILED! => {"msg": "Attempting to decrypt but no vault secrets found"}

I also tried outcommented alternatives in the Vagrantfile to make an Ansible request for a password. I see them all in the ansible-playbook call printed by Vagrant.

In addition, I tried several options when encrypting foo using ansible-vault encrypt_string , which also did not help.

What can be done to get Ansible to request a password when called with Vagrant?

Version

  • kubuntu 16.04
  • Vagrant 1.8.1 and Vagrant 2.0.0
  • Ansible 2.4.0.0

Update

This is the Ansible call printed by Vagrant:

 PYTHONUNBUFFERED=1 ANSIBLE_FORCE_COLOR=true ANSIBLE_HOST_KEY_CHECKING=false ANSIBLE_SSH_ARGS='-o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o ControlMaster=auto -o ControlPersist=60s' ansible-playbook --connection=ssh --timeout=30 --ask-vault-pass --limit="default" --inventory-file=/opt/vagrantVM/.vagrant/provisioners/ansible/inventory -v playbook.yml

If I do this directly without Vagrant, the password request works as expected! So it must be Vagrant, which somehow suppresses the invitation.

+5
source share
1 answer

In Ansible 2.4.0.0, a vault password request (i.e. --ask-vault-pass ) is skipped when there is no tty (no getpass.getpass function).

Using Ansible 2.4.0.0 prompts, Provant Provire integration does not receive an interactive prompt.

Please note that the implementation of --ask-pass and --ask-become-pass not changed (i.e. there is no mechanism to skip the getpass function) and still works fine with Vagrant.

I plan to report a problem upstream of the Ansible project, but for now, you can resolve the situation by downgrading to Ansible 2.3 (or using the vault_password_file provisioning parameter vault_password_file ).

Literature:

+6
source

Source: https://habr.com/ru/post/1272166/

More articles:


All Articles