Running Ansible playbooks in Jenkins fails decryption

Question

On my development machine everything works great. It's just that when Jenkins attempts to run playbooks that are associated with vault-encrypted files, I see the error:

ERROR! Decryption failed on /data/jenkins/workspace/.../secrets.yml 
FATAL: command execution failed hudson.AbortException: Ansible playbook execution failed

The command that was executed from the Jenkins job is:

/usr/bin/ansible-playbook playbook.yml -i prod/inventory -l localhost -s -f 1 --vault-password-file /etc/ansible/vault_password

The vault password file is confirmed to exist at the location with the following permissions:

-rw-r--r--. 1 root root 35 Dec 18 13:23 /etc/ansible/vault_password

If I run the same command but ask for password (interactively), everything runs okay. This is however not the desired workflow: I'd like Jenkins to run these playbooks all on its own, without user interaction.

I should mention that the playbook is meant to run tasks locally, essentially to prepare the environment for Maven testing (creating expected resources such as properties files).

Answer 1

It turns out that there is a huge difference between creating a file with content and copying a file with content, even if the end result is a file with the same content.

Let me explain: my provisioning playbook had been creating my password file by writing the password to a file on the remote machines, like this:

copy: content="{{ ansibl_vault_password }}", dest="{{ ansibl_vault_password_file }}"

The change I made was for the password file to be copied from my machine to the remote machines, like this:

  copy:
    src: "{{ ansibl_vault_password_file }}"
    dest: "{{ ansibl_vault_password_file }}"
    mode: "u=rw,g=r,o=r"

So even if in the grand scheme of things I ended up with a file containing the password on the first line, the earlier approach kept failing to decrypt contents whereas the second approach worked just fine.