ANSIBLE_VAULT_PASSWORD related instructions do not seem to work as documented with EE's.

[netopsengineer]

ISSUE TYPE

• Doc issue

SUMMARY

The document section in question: link

I am able to to create the gpg encrypted file, and the shell script, and it does work independently when executed, I do in fact get the password back. However, when executing with the EE as documented, the ENV is inside the EE container, but Ansible seems to simply ignore it:

ANSIBLE_VAULT_PASSWORD="$( ~/bin/vault.sh )" ansible-navigator run (...)

Is the behavior that is expected such that ANSIBLE_VAULT_PASSWORD=my_plain_text_password would be inside the EE? If so, I do see that if I switch run to exec and printenv, but the playbook does not seem to use it, first task executed with something vaulted says there were not credentials available.

A vault password or secret must be specified to decrypt

The previous instructions that revolve around linking the password file or script into the project that are considered the less secure options per the docs, do work for me as documented. I just prefer the newly mentioned method above. FWIW, I am on MacOS 14.4.1, and ansible-navigator 24.2.0.

[netopsengineer]

@rseabra it looks like you introduced this documentation on #1714 could you comment on how it is to be used? From everything I can gather, there is no support for ANSIBLE_VAULT_PASSWORD as an env var from Ansible, it doesn't look for it, in fact it seems it was proposed, and the PR was rejected here ansible/ansible#64383 (comment)

Any help would be appreciated.

[rseabra]

~~There is a typo that nobody noticed. It's ANSIBLE_VAULT_PASSWORD_FILE! ~~ I'm off work and without access to my setup in order to checkout if there's an actual typo, because I'm almost 100% sure that the point was to load the password into a variable, and not a file that's not actually available in the container.

I'll let you know next week.

[netopsengineer]

@rseabra appreciate the reply, yeah I figured that might be the case, but even then I was not sure how it would work, as ANSIBLE_VAULT_PASSWORD_FILE expects a path, and if I'm following the instructions properly in the README, this would essentially set the output of gpg --decrypt eg. the plaintext password as the value of ANSIBLE_VAULT_PASSWORD_FILE in the EE, which will not work.

You essentially need a file with the output of gpg ... as the contents AFAIK. The challenge is that you would need to symlink your .asc file into the project for it to be able to execute it in the EE, much like the current directions in the README do today.

If you were able to work around this, or this is some gpg-agent trick (I am new to working with gpg in this context), I would love to hear about it, and we can decide the best way to do a PR to update the docs to explain it better, and fix the typo.

[rseabra]

"&%$#"%$#&"# I documented it wrong, I will fix the faq but here's the proper trick:

mylogin@myhost:~$ export ANSIBLE_VAULT_PASSWORD_FILE=~/bin/ansible-vault.sh
mylogin@myhost:~$ cat $ANSIBLE_VAULT_PASSWORD_FILE
#!/bin/sh

/usr/bin/gpg -q -d /.../vault.asc

mylogin@myhost:~$ cat ansible-vault.sh
#!/bin/sh

echo $ANSIBLE_VAULT_PASSWORD

mylogin@myhost:~$ cat zbr.yaml
- hosts: localhost
  vars:
    secret: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          37393239346661666331316663356662366262383732396237313939366666663733656439333265
          3661636531633338306135326235643534656635333665310a343261643432303165633864666131
          32343637336366356234633839346430346639623961646434356330393263313433346134386436
          3236613664636235360a653834393430353938666164396663643537636665623930623339323865
          6336
  tasks:
    - debug:
        var: secret
mylogin@myhost:~$ ansible-playbook zbr.yaml
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [localhost] *****************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [debug] *********************************************************************************************************************************************************************************************************************************
ok: [localhost] => {
    "secret": "Segredo!"
}

PLAY RECAP ***********************************************************************************************************************************************************************************************************************************
localhost                  : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

mylogin@myhost:~$ ANSIBLE_VAULT_PASSWORD=$( $ANSIBLE_VAULT_PASSWORD_FILE ) ansible-navigator run -m stdout --eei registry.redhat.io/ansible-automation-platform/ee-minimal-rhel9:2.15.11-2 --senv=ANSIBLE_VAULT_PASSWORD_FILE=ansible-vault.sh --penv=ANSIBLE_VAULT_PASSWORD zbr.yaml
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'

PLAY [localhost] ***************************************************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]

TASK [debug] *******************************************************************
ok: [localhost] => {
    "secret": "Segredo!"
}

PLAY RECAP *********************************************************************
localhost                  : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[rseabra]

I added #1799 in order to resolve.

[rseabra]

Thanks a lot for finding out my error in the documentation patch, it's a neat trick and it deserves to be properly documented. :)