Search code examples
ansibleansible-vaultansible-lint

ask_vault_pass = true in ansible.cfg breaks ansible-lint


In my ansible playbook repository I have a few vault-encrypted group variable files, and an ansible.cfg with the following contents:

[defaults]
ask_vault_pass = true

This appears to break ansible lint:

[Mon Mar 11 12:43 PM] sam @ REDACTED:~/dev/redacted $ ansible-lint
Vault password: Vault password: Vault password: Vault password: Vault password:

I do not want to supply the vault password to ansible-lint. If I take ask_vault_pass out of ansible.cfg, ansible-lint works as anticipated. However, pretty much ever play we run requires the vault password so setting ask_vault_pass=true is greatly desired.

Is there a way to get ansible-lint to ignore settings in ansible.cfg? Or even better, set ask_vault_pass = false explicitly for ansible-lint?

I am using:

ansible                   9.3.0
ansible-compat            4.1.11
ansible-core              2.16.4
ansible-lint              24.2.0

Solution

  • I wasn't able to reproduce your problem with the versions of the packages you've listed. Probably, there are some other factors such as Python version or OS.

    From ansible-lint documentation:

    As ansible-lint executes ansible, it also needs access to encrypted secrets. If you do not give access to them or you are concerned about security implications, you should consider refactoring your code to allow it to be linted without access to real secrets:

    • Configure dummy fallback values that are used during linting, so Ansible will not complain about undefined variables.
    • Exclude the problematic files from the linting process.

    ...

    Internally ansible-lint runs ansible-playbook --syntax-check on each playbook and also on roles. ...

    That means, that ansible checks ansible.cfg and asks the vault password, not ansible-lint.

    This leads us the fact that the configuration settings set via the environment variables have higher priority than the ones set via ansible.cfg. So, you can simply use ANSIBLE_ASK_VAULT_PASS:

    ANSIBLE_ASK_VAULT_PASS=false ansible-lint