bcoca
commented
1 year ago I'm not sure that is much of an improvement since a simple grep can also identify the 'vaulted' files
Closed JaroslavKlech closed 1 year ago
bcoca
commented
1 year ago I'm not sure that is much of an improvement since a simple grep can also identify the 'vaulted' files
JaroslavKlech
commented
1 year ago Ok, in that case lets close this ticket.
oraNod
commented
1 year ago What about trimming down that error message a little and adding more user-focused wording?
"Vault password: ERROR! Decryption failed (no vault secrets were found that could decrypt)"
Suggested: "The vault password is not correct. Ansible Vault cannot decrypt secrets."
oraNod
commented
1 year ago @bcoca Is there a reason to keep the filename /home/my_home/my_ansible_projects/vars/sensitive variables.yml in the error message? Does that help troubleshoot?
oraNod
commented
1 year ago Had a matrix convo with Jaroslav and Felix. Probably will just close this one for now. Cheers for the discussion @JaroslavKlech
bcoca
commented
1 year ago The file is shown so the user knows which vault they need a secret for or to remove from the play, so yes, it helps troubleshooting.
The vault secret message is generic as it does not state that the secret provided is wrong, sometimes no vault secret is provided, sometimes you need multiple vault secrets.
oraNod
commented
1 year ago Thanks for the insights @bcoca
Proposal: Make ansible-vault command return more general error response (Command output UX)
Author: JaroslavKlech
Date: 2022-11-28
Motivation
To improve security by reducing attack surface.
Problems
What problems exist that this proposal will solve?
ansible-playbook playbook.yml --ask-vault-passwordReturns the following error when incorrect password is used:Vault password: ERROR! Decryption failed (no vault secrets were found that could decrypt) on /home/my_home/my_ansible_projects/vars/sensitive variables.yml.Solution proposal
--ask-vault-passwordand the playbook doesnt even start running, then it should be obvious to them that the password wasnt correct and sensitive files are not pointed out.