Ansible Vault Error: Fix 'Attempting to Decrypt but No Vault Secrets Found'

Today we're going to talk about Ansible troubleshooting, specifically about the attempt to decrypt but no vault secrets found error. I'm Luca Berton and welcome to today's episode of Ansible Pilot

Link

• https://docs.ansible.com/ansible/latest/user_guide/vault.html

See also: Ansible no_log: Hide Sensitive Data in Playbook Output (Guide)

Playbook

Live Playbook of Ansible Vault in Playbook problem and fix the error:

Attempting to decrypt but no vault secrets found.

The best way of talking about Ansible troubleshooting is to jump in a live Playbook to show you practically the connection failed error and how to solve it!

Every time we would like to use Ansible Vault to store our sensitive information (passwords, access keys, configuration, etc/) encrypted, we need to specify a password for the decryption of the file. The screen error simply reminds us that the password is incorrect or not specified. The solution is relatively easy once you understand the underlying Ansible Vault concept.

code

• playbook_with_vault.yml

---
- name: Playbook with Vault
  hosts: all
  tasks:
    - name: include vault
      ansible.builtin.include_vars:
        file: mypassword.yml
- name: print variable
      ansible.builtin.debug:
        var: mypassword

• mypassword.yml

$ANSIBLE_VAULT;1.1;AES256
64306633373430303333623136363833633539376531666131646564633830383330353264633566
3431393662373037663037623533386463306531313435360a643062643065363638353561613738
32343439356138656363333930336636646566376533356131323830663161393533383566316138
3232356363663335610a343233626230373138626263313335623037333963336662323630363562
66396432653737333031643762353130623962323934663566336637653161386563393638333566
6434326465393363363939336433316566353265626364336265

error execution

$ ansible-playbook -i inventory playbook_with_vault.yml
PLAY [Playbook with Vault] **************************************************************
TASK [Gathering Facts] ******************************************************************
ok: [localhost]
TASK [include vault] ********************************************************************
fatal: [localhost]: FAILED! => {"ansible_facts": {}, "ansible_included_var_files": [], "changed": false, "message": "Attempting to decrypt but no vault secrets found"}
PLAY RECAP ******************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

See also: Ansible troubleshooting - Unhandled exception while executing module win_user

fix execution

We need to specify the --ask-vault-password or --vault-password-file option of the ansible-playbook tool when using Ansible Vault file.

$ ansible-playbook -i inventory --ask-vault-password playbook_with_vault.yml
Vault password:
PLAY [Playbook with Vault] **************************************************************
TASK [Gathering Facts] ******************************************************************
ok: [localhost]
TASK [include vault] ********************************************************************
ok: [localhost]
TASK [print variable] *******************************************************************
ok: [localhost] => {
    "mypassword": "mysupersecretpassword"
}
PLAY RECAP ******************************************************************************
localhost                  : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Conclusion

Now you know better how to troubleshoot the Ansible error: attempting to decrypt but no vault secrets found.

See also: Ansible Missing Sudo Password: Fix Passwordless SSH & Sudo Errors

Fix Options

Interactive password

ansible-playbook site.yml --ask-vault-pass

Password file

echo 'MyVaultPass' > ~/.vault_pass.txt
chmod 600 ~/.vault_pass.txt
ansible-playbook site.yml --vault-password-file ~/.vault_pass.txt

Set in ansible.cfg

[defaults]
vault_password_file = ~/.vault_pass.txt

Environment variable

export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt
ansible-playbook site.yml

Script (password manager integration)

#!/bin/bash
# ~/.vault_pass.sh
pass show ansible/vault-password

chmod +x ~/.vault_pass.sh
ansible-playbook site.yml --vault-password-file ~/.vault_pass.sh

Multiple Vault IDs

ansible-vault encrypt --vault-id prod@prompt secrets/prod.yml
ansible-vault encrypt --vault-id dev@prompt secrets/dev.yml
ansible-playbook site.yml \
  --vault-id prod@~/.vault_pass_prod.txt \
  --vault-id dev@~/.vault_pass_dev.txt

CI/CD Integration

# GitHub Actions
- name: Run Ansible
  run: |
    echo "${{ secrets.VAULT_PASSWORD }}" > .vault_pass
    ansible-playbook site.yml --vault-password-file .vault_pass
    rm .vault_pass

Common Vault Commands

# Encrypt a file
ansible-vault encrypt secrets.yml
# View encrypted file
ansible-vault view secrets.yml --ask-vault-pass
# Edit encrypted file
ansible-vault edit secrets.yml --ask-vault-pass
# Decrypt permanently
ansible-vault decrypt secrets.yml --ask-vault-pass
# Change password
ansible-vault rekey secrets.yml --ask-vault-pass
# Encrypt a string
ansible-vault encrypt_string 'SuperSecret' --name 'db_password'

FAQ

How do I check if a file is encrypted?

head -1 secrets.yml
# Output: $ANSIBLE_VAULT;1.1;AES256

I forgot the password - can I recover?

No. Ansible Vault uses AES-256. Without the password, data is unrecoverable. Always store vault passwords in a password manager.

Related Articles

• vault password files in Ansible • inventory configuration in Ansible