Ansible Vault "Decryption failed" / "no vault secrets" in CI
Ansible hit a Vault-encrypted file or variable but had no password - or the wrong one - to decrypt it. The vault password is not wired into the CI run.
What this error means
A run fails with Attempting to decrypt but no vault secrets found or Decryption failed as soon as it touches an encrypted file. It is deterministic: without the correct password, decryption never succeeds.
ERROR! Attempting to decrypt but no vault secrets found
# or, with a wrong password:
ERROR! Decryption failed (no vault secrets were found that could decrypt)
on /repo/group_vars/prod/vault.ymlCommon causes
Vault password not provided in CI
No --vault-password-file, ANSIBLE_VAULT_PASSWORD_FILE, or --ask-vault-pass is wired up, so Ansible has nothing to decrypt the file with.
Wrong password or vault-id
The supplied password (or --vault-id) does not match the one the file was encrypted with - common after a rotation or when multiple vault IDs exist.
How to fix it
Provide the vault password from a secret
Write the password to a file from a CI secret and point Ansible at it.
- run: |
printf '%s' "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > .vault-pass
ansible-playbook -i inventory site.yml --vault-password-file .vault-pass
rm -f .vault-passMatch the correct vault-id
- If files use labeled vault IDs, pass the matching
--vault-id label@source. - After a password rotation, re-encrypt with
ansible-vault rekeyso old files match the new password. - Verify locally with
ansible-vault view group_vars/prod/vault.ymlbefore pushing.
How to prevent it
- Store the vault password as a CI secret and inject it via
--vault-password-file. - Use consistent
--vault-idlabels across the repo. - Rekey all encrypted files together when rotating the vault password.