0

My hosts file was working fine when I use a normal ansible password. But when I switched it to ansible vault password, I get these errors:

[WARNING]:  * Failed to parse /var/lib/awx/projects/Windows/hosts with yaml plugin: We were unable to read either as JSON nor YAML, these are the errors we got from each: JSON:
Expecting value: line 1 column 2 (char 1)  Syntax Error while loading YAML.   did not find expected <document start>  The error appears to be in '/var/lib/awx/projects/AD/WindowsAD/hosts':
line 2, column 1, but may be elsewhere in the file depending on the exact syntax problem.  The offending line appears to be:  [Windows] 10.15.200.130 ^ here

[WARNING]:  * Failed to parse /var/lib/awx/projects/Windows/hosts with ini plugin: /var/lib/awx/projects/Windows/hosts:7: Expected key=value, got: $ANSIBLE_VAULT;1.1;AES256

This is my hosts file which produced the errors. I only replaced the ansible_password fields with ansible vault credentials, the rest of the fields remain unchanged:

[Windows]
10.15.200.130

[Windows:vars]
ansible_user=domain\username
ansible_password=!vault |
          $ANSIBLE_VAULT;1.1;AES256
          62303438666666336666343361326637376135363461326430336438306237363330303765393438
          6565373439616366663836656238643132346264356162350a643533373632393639376335356464
          65363934613137653730636633363761346538393562653137666331303834633563303538643961
          3965356162623463370a653266663231336430643538363737633862613662663062616139613137
          6330
ansible_connection=winrm
ansible_port=5985
ansible_winrm_transport=credssp
ansible_winrm_server_cert_validation=ignore
ansible_winrm_kerberos_delegation=true


[test]
10.15.170.22

[test:vars]
ansible_user=user
ansible_password=!vault |
          $ANSIBLE_VAULT;1.1;AES256
          65353661646365653531376564373966623933386336623538386435643738636566633132633763
          6232633465336337373839303130393066633439316335660a636136636539346666633032613838
          32313162393338353265313365356435626664373766626461326563393830313665393933386337
          6162643836393766360a316238313861646235343833313232633164316434643765313261346630
          3966
ansible_connection=winrm
ansible_port=5986
ansible_winrm_transport=basic
ansible_winrm_server_cert_validation=ignore

I have tried to rephrase the vault credentials as below, but it is still incorrect:

ansible_password=!vault |
          $ANSIBLE_VAULT;1.1;AES256
          623034386666663366663433613266373761353634613264303364383062373633303037653934386565373439616366663836656238643132346264356162350a643533373632393639376335356464653639346131376537306366333637613465383935626531376663313038346335633035386439613965356162623463370a6532666632313364306435383637376338626136626630626161396131376330

ansible_password=!vault |
          $ANSIBLE_VAULT;1.1;AES256
          653536616463656535313765643739666239333863366235383864356437386365666331326337636232633465336337373839303130393066633439316335660a636136636539346666633032613838323131623933383532653133653564356266643737666264613265633938303136653939333863376162643836393766360a3162383138616462353438333132326331643164346437653132613466303966
Whaily
  • 39
  • 6
  • 2
    The `!vault |` format is meant for YAML AFAIK... How was those values generated and inserted into the inventory? – Gert van den Berg Apr 24 '23 at 13:46
  • 1
    I would create `group_vars/test.yaml` and `group_vars/Windows.yaml` and put the variables in there in YAML format..... – Gert van den Berg Apr 24 '23 at 13:48
  • 2
    Also from the documentation, as it was fixed since this other question: [_This is an example using an extract from a YAML inventory, as the INI format does not support inline vaults_](https://docs.ansible.com/ansible/latest/network/getting_started/first_inventory.html#protecting-sensitive-variables-with-ansible-vault) – β.εηοιτ.βε Apr 24 '23 at 14:32
  • @GertvandenBerg It was generated by running this command: ansible-vault encrypt_string "writepasswordhere" --vault-password-file vault.txt – Whaily Apr 25 '23 at 02:04
  • @GertvandenBerg You mean put only the vault variables into these new yaml files? Or whatever is in my hosts file, I have to now change it to yaml format and put into these new yaml files? Anyway, I have already created the group_vars/test.yaml and group_vars/Windows.yaml, what command do I use to run the playbook to read these group_vars files? Previously, I was using 'ansible-playbook Combined.yml -i hosts -vvv --vault-password-file=/var/lib/awx/projects/code.txt' – Whaily Apr 25 '23 at 02:53
  • @Whaily Yep, you can put all the vars in there if you want, but just the vault vars might be easier to deal with (especially if the entire file is encrypted) than having all the vars for the group there (arrays and maps are a lot easier in YAML than the INI format as well though) – Gert van den Berg Apr 25 '23 at 07:05

0 Answers0