Ansible vault - Decryption of encrypted string

Question

I am trying to decrypt an encrypted string using Ansible vault. I have a key which is used for encryption. The encryption works fine but decryption doesn't seem to work. When I try to use decryption command , I am asked for vault password even though I never set any password. Below is my encryption commands

echo 'mysecretexample' > pwd
ansible-vault encrypt_string 'testencyption' --vault-id  pipeline@pwd  --name 'secretname'

Above WORKS FINE!!!

But below doesn't seem to work at all while decryption and asks for vault password

 echo '$ANSIBLE_VAULT;1.2;AES256;pipeline
          30306264643662333133656165633238646637393738663933666231393964646162306233663063
          3130626266444444444449346633656234646162356235640a323339316662663966383639643064
          39373933373832313762363863395555555555555555555555555866376132616262666561343130
          3162366537623463330a326663393934646166623665386438636464323233323565313035643732
          3662' | ansible-vault decrypt

I get the following as its not a vault enabled file.

ERROR! input is not vault encrypted data. - is not a vault encrypted file for -

Any advise would be helpful.

Answer 1

It's because your echo-ed text isn't the same as what some_scalar: | does in yaml; all those indentation characters will be harmonized to not having indentation characters when processed by a yaml parser

>>> from io import StringIO
>>> from yaml import safe_load
>>> print(safe_load(StringIO("""
alpha: |
  hello
  world
"""))["alpha"])
hello
world

Since encrypt_string is optimized for use in vars.yaml, you'll need to de-yaml-it to get what you're after:

$ echo 'mysecretexample' > pwd
$ ansible-vault encrypt_string 'testencyption' --vault-id  pipeline@pwd  --name 'secretname' \
  | sed -e '1d; s/^ *//' \
  | ansible-vault decrypt --vault-id pipeline@pwd 2>/dev/null
testencyption