Skip to content
Latchkey

Ansible "Attempting to decrypt but no vault secrets found" in CI

A variable file or string is encrypted with Ansible Vault, but the run had no vault secret to decrypt it. Without --vault-password-file, --ask-vault-pass, or ANSIBLE_VAULT_PASSWORD_FILE, Ansible cannot read the value and stops.

What this error means

The run fails early with "ERROR! Attempting to decrypt but no vault secrets found" when it reaches an encrypted vars file or !vault value.

ansible
ERROR! Attempting to decrypt but no vault secrets found

Common causes

No vault password supplied to the run

CI is non-interactive, so the --ask-vault-pass prompt cannot work and no password file or env var was configured.

The vault password file path is wrong or empty

A configured path points at a file that does not exist or was never written from the secret, so Ansible has no identity to use.

How to fix it

Write the vault password from a secret and point Ansible at it

  1. Store the vault password as a CI secret.
  2. Write it to a file in the job, then pass --vault-password-file.
  3. Re-run so the encrypted data decrypts.
.github/workflows/ci.yml
- run: printf '%s' "${{ secrets.VAULT_PASS }}" > .vault_pass
- run: ansible-playbook -i inventory site.yml --vault-password-file .vault_pass

Use the environment variable form

Set ANSIBLE_VAULT_PASSWORD_FILE so every Ansible command in the job finds the identity without a flag.

.github/workflows/ci.yml
env:
  ANSIBLE_VAULT_PASSWORD_FILE: ${{ github.workspace }}/.vault_pass

How to prevent it

  • Keep the vault password in a CI secret, never committed.
  • Set ANSIBLE_VAULT_PASSWORD_FILE so all commands pick it up.
  • Avoid --ask-vault-pass in non-interactive pipelines.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →