Closed JaroslavKlech closed 1 year ago
I'm not sure that is much of an improvement since a simple grep
can also identify the 'vaulted' files
Ok, in that case lets close this ticket.
What about trimming down that error message a little and adding more user-focused wording?
"Vault password: ERROR! Decryption failed (no vault secrets were found that could decrypt)"
Suggested: "The vault password is not correct. Ansible Vault cannot decrypt secrets."
@bcoca Is there a reason to keep the filename /home/my_home/my_ansible_projects/vars/sensitive variables.yml
in the error message? Does that help troubleshoot?
Had a matrix convo with Jaroslav and Felix. Probably will just close this one for now. Cheers for the discussion @JaroslavKlech
The file is shown so the user knows which vault they need a secret for or to remove from the play, so yes, it helps troubleshooting.
The vault secret message is generic as it does not state that the secret provided is wrong, sometimes no vault secret is provided, sometimes you need multiple vault secrets.
Thanks for the insights @bcoca
Proposal: Make ansible-vault command return more general error response (Command output UX)
Author: JaroslavKlech
Date: 2022-11-28
Motivation
To improve security by reducing attack surface.
Problems
What problems exist that this proposal will solve?
ansible-playbook playbook.yml --ask-vault-password
Returns the following error when incorrect password is used:Vault password: ERROR! Decryption failed (no vault secrets were found that could decrypt) on /home/my_home/my_ansible_projects/vars/sensitive variables.yml
.Solution proposal
--ask-vault-password
and the playbook doesnt even start running, then it should be obvious to them that the password wasnt correct and sensitive files are not pointed out.