ansible-runner icon indicating copy to clipboard operation
ansible-runner copied to clipboard

Published 20 hours ago verified publisher icon ansible

--vault-password-file vault-password-client.py doesnt work as expected

Open SquirrelCorporation opened this issue 10 months ago • 1 comments

Hi!

I am encountering a problem with using the python interface and providing a cmdline --vault-password-file vault-password-client.py It doesn't work as expected, I got a HMAC error during decryption. However, giving the cmdline a plain text file with the password works --vault-password-file pass.txt

The python script is

from sys import exit, stderr, stdout

def main():
  stdout.write("test")


if __name__ == "__main__":
    main()

CMD line: --vault-password-file vault-password-client.py

Output of runner:

TASK [Gathering Facts] *********************************************************
task path: /server/src/ansible/_ping.yml:1
Found a vault_id (default) in the vaulttext
We have a secret associated with vault id (default), will try to use to decrypt None
Trying to use vault secret=(FileVaultSecret(filename='/server/src/ansible/vault-password-client.py')) id=default to decrypt None
Trying secret FileVaultSecret(filename='/server/src/ansible/vault-password-client.py') for vault_id=default
Tried to use the vault secret (default) to decrypt (None) but it failed. Error: HMAC verification failed: Signature did not match digest.
fatal: [192.168.0.229]: FAILED! => {
    "msg": "Decryption failed (no vault secrets were found that could decrypt)"
}

By modifying the python script, as far I can tell, the file is not executed at all

SquirrelCorporation avatar Mar 29 '24 16:03 SquirrelCorporation

try to add #!/usr/bin/python or #!/usr/bin/python3 as first line and execute bit (chmod +x) should be set on python-file

valq7711 avatar Apr 15 '24 20:04 valq7711

This is an error from ansible itself, not ansible-runner. Your first step would be to attempt to eliminate ansible-runner from the equation and come up with a simple reproducer using only the ansible-playbook command.

I have seen some issues where not having the executable bit set on the file was the culprit. If that is not the solution, then I suggest opening an issue under the ansible/ansible repo. You will need to provide the version of ansible you are using (I do not see it mentioned here) and, hopefully, your reproducer.

Shrews avatar Jun 17 '24 19:06 Shrews