On my development machine everything works great. It's just that when Jenkins attempts to run playbooks that are associated with vault-encrypted files, I see the error:
ERROR! Decryption failed on /data/jenkins/workspace/.../secrets.yml
FATAL: command execution failed hudson.AbortException: Ansible playbook execution failed
The command that was executed from the Jenkins job is:
/usr/bin/ansible-playbook playbook.yml -i prod/inventory -l localhost -s -f 1 --vault-password-file /etc/ansible/vault_password
The vault password file is confirmed to exist at the location with the following permissions:
-rw-r--r--. 1 root root 35 Dec 18 13:23 /etc/ansible/vault_password
If I run the same command but ask for password (interactively), everything runs okay. This is however not the desired workflow: I'd like Jenkins to run these playbooks all on its own, without user interaction.
I should mention that the playbook is meant to run tasks locally, essentially to prepare the environment for Maven testing (creating expected resources such as properties files).
It turns out that there is a huge difference between creating a file with content and copying a file with content, even if the end result is a file with the same content.
Let me explain: my provisioning playbook had been creating my password file by writing the password to a file on the remote machines, like this:
The change I made was for the password file to be copied from my machine to the remote machines, like this:
So even if in the grand scheme of things I ended up with a file containing the password on the first line, the earlier approach kept failing to decrypt contents whereas the second approach worked just fine.