Ansible-vault没有正确传递给playbook

Question

I am trying to use ansible and ansible-vault to provision users. This is my current directory structure:

|-- ansible-test.out
|-- group_vars
|-- inventory
|-- roles
|   |-- bsd_sudoers
|   |   |-- tasks
|   |   |-- templates
|   |   |   `-- cde-admins
|   |   `-- vars
|   `-- bsd_users
|       |-- files
|       |-- tasks
|       |   `-- main.yml
|       |-- templates
|       `-- vars
|           `-- all.yml
|-- site.retry
|-- site.yml
`-- vars
    `-- all.yml

This is what I have for my playbook so far:

---
- name: Creating Users
  user:
    name: "{{ item.name }}"
    system : "{{ item.sudoer }}"
    shell: /bin/bash
    password: "{{ item.password }}"
    uid: "{{ item.uid }}"
    home: "{{ item.home }}"
  with_items: users

Here is a sample of what I have in ansible vault:

---
   vars:
     users:
       - name: 'foo'
         home: '/home/foo'
         key: 'ssh-rsa ....'
         password: '!!'
         bash: '/bin/bash'
         sudoer: yes
         uid: "2049"
         guid: '2049'
         group: admin

When I run the playbook, this error message is always generated:

fatal: [ansible-test]: FAILED! => {"failed": true, "msg": "The task includes an option with an undefined variable. The error was: 'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute 'uid'\n\nThe error appears to have been in '/Users/ansible/playbooks/roles/bsd_users/tasks/main.yml': line 2, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n---\n- name: Creating Users\n  ^ here\n\nexception type: <class 'ansible.errors.AnsibleUndefinedVariable'>\nexception: 'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute 'uid'"}
    to retry, use: --limit @/Users/ansible/playbooks/site.retry

Why is this always happening? I was under the impression that Ansible would naturally pass the encrypted variables to my playbook but this does not seem to be the case.

Answer 1

As Konstantin mentioned before, you need to include the variable file either as -e @vars/all.yml via the command line, or by adding vars_files into the playbook. You can also add the all.yml file into the group_vars directory, and it will be picked up automatically.

Regarding the second error message you are receiving, starting with Ansible 2.4 the recommended way of providing the password at the command line is by using --vault-id . This can be anything from a path to the id file, to @prompt for Ansible to prompt you for a password, or even the path to a script that returns the password.

Prior to Ansible 2.4, you need to use --ask-vault-pass or --vault-password-file .

You can also add a variable in ansible.cfg named vault_password_file , where you can define the location of the vault password file (for example vault_password_file = /path/to/.vault_password_file ), so you don't need to specify it every time you run ansible-playbook . Starting with Ansible 1.7, this path can also point to a script that returns the password as stdout.

If this helps answer your question, I would appreciate it if you could mark it as the accepted answer.

Answer 2

First:

with_items: users should be with_items: "{{ users }}" .
Bare variables are not supported any more.

Second:

There's no need to define top-level vars dict in vaulted files, use:

---
users:
  - name: foo
    home: /home/foo
  - name: bar
    home: /home/bar