Ansible-Vault conf file not being decrypted when running playbook

Question

I'm working on this ansible playbook to sign certificates. Inside the playbook I use a conf file with an api key inside to hide the key I have encrypted the file with ansible vault. The problem with this is when I run the playbook, it errors out with a stdout saying file contains no section headers.

fatal: [cxlabs-alln01-sslapi]: FAILED! => {
    "changed": true,
    "cmd": [
        "/usr/local/bin/sslapi_cli",
        "sign",
        "-csr",
        "/etc/sslapi_cli/xxxxxxxx.cisco.com.csr",
        "-out",
        "/etc/sslapi_cli/xxxxxxxx.cisco.com.cer",
        "-confFile",
        "/etc/sslapi_cli/sslapi_cli.conf",
        "-validityPeriod",
        "one_year"
    ],
    "delta": "0:00:00.209337",
    "end": "2022-04-04 15:47:37.772535",
    "invocation": {
        "module_args": {
            "_raw_params": "/usr/local/bin/sslapi_cli sign -csr /etc/sslapi_cli/xxxxxxxx.cisco.com.csr  -out /etc/sslapi_cli/xxxxxxxx.cisco.com.cer -confFile /etc/sslapi_cli/sslapi_cli.conf -validityPeriod one_year",
            "_uses_shell": false,
            "argv": null,
            "chdir": null,
            "creates": null,
            "executable": null,
            "removes": null,
            "stdin": null,
            "stdin_add_newline": true,
            "strip_empty_ends": true,
            "warn": true
        }
    },
    "msg": "non-zero return code",
    "rc": 2,
    "start": "2022-04-04 15:47:37.563198",
    "stderr": "File contains no section headers.\nfile: '/etc/sslapi_cli/sslapi_cli.conf', line: 1\n'$ANSIBLE_VAULT;1.1;AES256\\n'",
    "stderr_lines": [
        "File contains no section headers.",
        "file: '/etc/sslapi_cli/sslapi_cli.conf', line: 1",
        "'$ANSIBLE_VAULT;1.1;AES256\\n'"
    ],
    "stdout": "File contains no section headers.\nfile: '/etc/sslapi_cli/sslapi_cli.conf', line: 1\n'$ANSIBLE_VAULT;1.1;AES256\\n'",
    "stdout_lines": [
        "File contains no section headers.",
        "file: '/etc/sslapi_cli/sslapi_cli.conf', line: 1",
        "'$ANSIBLE_VAULT;1.1;AES256\\n'"
    ]
}

I'm not sure what this means, but I think It's because the sslapi_cli.conf is not being decrypted when the playbook is reading it.

Answer 1

Ansible vault purpose is not encrypting files, it is encrypting variables. When you encrypt a file with ansible-vault, it is assumed that the file is .yml formatted and therefore it can be processed as ansible variables.

You need to define the api key in an encrypted file, or encrypt inline (https://docs.ansible.com/ansible/latest/user_guide/vault.html#creating-encrypted-variables).

# encrypted_file.yml
my_api_key: foo

# variable ecrypted inline:
my_api_key: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      62313365396662343061393464336163383764373764613633653634306231386433626436623361
      6134333665353966363534333632666535333761666131620a663537646436643839616531643561

Then you need to create a template of your sslapi_cli.conf file with something like this:

sslapi_cli.conf.j2

ssl_api_key: {{ my_api_key}}

And before you execute your task you need to run a template (https://docs.ansible.com/ansible/latest/collections/ansible/builtin/template_module.html) task, generating the sslapi_cli.conf file with the correct api key.