Errors using ansible-pull with encrypted variables

Hi there,

I’m trying to follow through Jay’s tutorial video on Ansible Pull, but unfortunately I’m running into an error when I try to run my very simple playbook. This is what the playbook looks like:

---
- hosts: localhost
  connection: local
  become: True

  vars_files:
    - ./vault.yml

  vars:
    default_username: "{{ vault_default_username }}"

  pre_tasks:
    - name: Update package cache
      ansible.builtin.apt:
        update_cache: True
      changed_when: False
      when: ansible_facts.os_family == 'Debian'

  tasks:
    - name: Print Ansible facts
      ansible.builtin.debug:
        var: ansible_facts

The vault.yml file is encrypted using ansible-vault and it sits right next to local.yml file that is the playbook. When I run this from the node, currently a virtual machine running Debian, I see the following error:

ERROR! Attempting to decrypt but not vault secrets found

Without any variables it runs without any problems, and in fact it also runs fine when I run this playbook locally using ansible-playbook instead of ansible-pull.
One curious thing is that I’m passing the flag --ask-vault-password and -K to become root, however I’m only asked to provide the become password, not the vault password.

So, how can I use encrypted variables with ansible pull?

Thanks!

Have you tried with:

ansible-pull --vault-password-file=/secure/path/to/file/with/password …

For me, no other method works, since ansible-pull on my end is run without user interaction so getting rid of prompts is key.

Hi Jay, and thank you for the help.

Unfortunately this didn’t work either. I tried using the = syntax like you suggested, as well as leaving a space as shown in the ansible-pull --help prompt. I’ve also tried to include an ansible.cfg with the path to this file, and even setting up an environment variable as shown in the documentation.

It really looks like ansible-pull just doesn’t work with vault files at all? I mean, I can run this playbook without issues if I use ansible-playbook instead, using the exact same playbook that is downloaded by ansible-pull and stored at ~/.ansible/pull/…

Personally, I use ansible-pull exclusively, and I use the vault extensively. I can guarantee that this combination works 100%. However, I’m not sure why it’s not working for you - the only thing I can think of is that there must be another factor not represented in your post. I’m not sure what that might be, but it should definitely work.

If it helps, this is the actual ansible-pull command that all of my servers run, with the private repository/key and the actual vault path redacted:

/usr/bin/ansible-pull --vault-password-file=/etc/ansible/vault_key -U https://<redacted-user>:<redacted-password>@gitlab.com/gitlabusername/gitlab-repository.git

In that example, the Gitlab repository is private so a user and key is required to view it - so that’s the only reason I have that. You shouldn’t need that unless you also are using a private repo. But the rest of the command should be applicable to you.

1 Like

It didn’t occur to me that I needed to use a full path to the vault file and was specifying it relative to the downloaded playbook… Ok so this finally did the trick, thanks a lot Jay!

Although I’m still wondering what was going on and why didn’t it prompt me for a password when I provided the option to do that… In any case, thanks again for the help I think this will allow me to focus on getting stuff done which is what matters. Cheers!

Glad it helped! I’m in the process of updating my internal Ansible solution so I can make it fully public, and I think what I’ll do is create a public read-only mirror for people to browse around in. I have no idea when I’ll have this done though. I’m sure when I do that, it’ll answer a lot of people’s questions.

1 Like

That would be incredibly helpful! I’ve already skimmed through your ansible playbook for desktop and workstations and gotten some really good ideas from it, though it’s considerably more complex than what I’m trying to go for just yet :smiley:

Thanks again for all the help!