search

ansible / ansible-runner

A tool and python library that helps when interfacing with Ansible directly or as part of another system whether that be through a container image interface, as a standalone tool, or as a Python module that can be imported. The goal is to provide a stable and consistent interface abstraction to Ansible.
Other
968 stars 356 forks source link

--vault-password-file vault-password-client.py doesnt work as expected #1351

Closed SquirrelCorporation closed 5 months ago

SquirrelCorporation commented 7 months ago

Hi!

I am encountering a problem with using the python interface and providing a cmdline --vault-password-file vault-password-client.py It doesn't work as expected, I got a HMAC error during decryption. However, giving the cmdline a plain text file with the password works --vault-password-file pass.txt

The python script is 

from sys import exit, stderr, stdout

def main():
  stdout.write("test")

if __name__ == "__main__":
    main()

CMD line: --vault-password-file vault-password-client.py

Output of runner:

TASK [Gathering Facts] *********************************************************
task path: /server/src/ansible/_ping.yml:1
Found a vault_id (default) in the vaulttext
We have a secret associated with vault id (default), will try to use to decrypt None
Trying to use vault secret=(FileVaultSecret(filename='/server/src/ansible/vault-password-client.py')) id=default to decrypt None
Trying secret FileVaultSecret(filename='/server/src/ansible/vault-password-client.py') for vault_id=default
Tried to use the vault secret (default) to decrypt (None) but it failed. Error: HMAC verification failed: Signature did not match digest.
fatal: [192.168.0.229]: FAILED! => {
    "msg": "Decryption failed (no vault secrets were found that could decrypt)"
}

By modifying the python script, as far I can tell, the file is not executed at all

valq7711 commented 7 months ago

try to add #!/usr/bin/python or #!/usr/bin/python3 as first line and execute bit (chmod +x) should be set on python-file

Shrews commented 5 months ago

This is an error from ansible itself, not ansible-runner. Your first step would be to attempt to eliminate ansible-runner from the equation and come up with a simple reproducer using only the ansible-playbook command.

I have seen some issues where not having the executable bit set on the file was the culprit. If that is not the solution, then I suggest opening an issue under the ansible/ansible repo. You will need to provide the version of ansible you are using (I do not see it mentioned here) and, hopefully, your reproducer.