Search code examples
ansibleansible-vault

Ansible multipassword passfile does not decrypt correctly

I have the following playbook:

---
- hosts: all
  vars_files:
    - files/test1/.env
    - files/test2/.env
    - files/test3/.env
  roles:
    - role: test1
    - role: test2
    - role: test3

All those .env files are encrypted using different password using ansible-vault. To decrypt them when copied to the remote host, I want to provide the passwords using a passfile. For that, I have a .passfile with the following content:

pass1
pass2
pass3

Each of those passwords are ordered in a way that match the order of vars_files in the playbook. When I want to check that decryption happens properly I run ansible-vault view files/test1/.env --vault-pass-file .passfile but I get the following error: ERROR! Decryption failed (no vault secrets were found that could decrypt) on files/test1/.env for files/test1/.env

When I remove passwords pass2 and pass3 from .passfile, then the exact same command works and I can view the contents of the file. Same happens when I execute the playbook. If there's only one password in the .passfile, it fails that it cannot decrypt files/test2/.env but when I add pass2 in the .passfile then it fails saying it could not decrypt files/test1/.env.

How can I make Ansible decrypt all those files that have been encrypted using different passwords by just using one passfile? Thanks in advance.

P.S.: the passfile was created with vim, ensuring there are no extra lines, whitespaces etc... passwords do contain special characters, tho.

Solution

  • You need to use vault-ids

    1. Separate your passwords in different files for different vault ids, e.g.

      • .myid1.passfile 
        pass1
      • .myid2.passfile 
        pass2
      • .myid3.passfile 
        pass3

    2. Reference the vault ids to be used in your configuration.

      Here I'm using an environment variable but you can pass this information directly on each command line. Check the documentation

      export ANSIBLE_VAULT_IDENTITY_LIST="myid1@/path/to/.myid1.passfile,\
myid2@/path/to/.myid2.passfile,\
myid3@/path/to/.myid3.passfile"

    3. Encrypt your files using the given correct id (decrypt the already encrypted file prior to this).

      Note: this step is optionnal but decryption will be slower as ansible will have to try each password in order to find a matching one if it does not know the id. See the above doc

      ansible-vault encrypt --encrypt-vault-id myid1 files/test1/.env
ansible-vault encrypt --encrypt-vault-id myid2 files/test2/.env
ansible-vault encrypt --encrypt-vault-id myid3 files/test3/.env

    4. Now use whatever file, in whatever order with whatever playbook. They will be decrypted on the fly using your configured vault ids. You can add as many vault ids you want in your configuration.