Skip to content
Latchkey

Ansible Vault "Decryption failed" / "no vault secrets" in CI

Ansible hit a Vault-encrypted file or variable but had no password - or the wrong one - to decrypt it. The vault password is not wired into the CI run.

What this error means

A run fails with Attempting to decrypt but no vault secrets found or Decryption failed as soon as it touches an encrypted file. It is deterministic: without the correct password, decryption never succeeds.

ansible output
ERROR! Attempting to decrypt but no vault secrets found
# or, with a wrong password:
ERROR! Decryption failed (no vault secrets were found that could decrypt)
on /repo/group_vars/prod/vault.yml

Common causes

Vault password not provided in CI

No --vault-password-file, ANSIBLE_VAULT_PASSWORD_FILE, or --ask-vault-pass is wired up, so Ansible has nothing to decrypt the file with.

Wrong password or vault-id

The supplied password (or --vault-id) does not match the one the file was encrypted with - common after a rotation or when multiple vault IDs exist.

How to fix it

Provide the vault password from a secret

Write the password to a file from a CI secret and point Ansible at it.

.github/workflows/deploy.yml
- run: |
    printf '%s' "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > .vault-pass
    ansible-playbook -i inventory site.yml --vault-password-file .vault-pass
    rm -f .vault-pass

Match the correct vault-id

  1. If files use labeled vault IDs, pass the matching --vault-id label@source.
  2. After a password rotation, re-encrypt with ansible-vault rekey so old files match the new password.
  3. Verify locally with ansible-vault view group_vars/prod/vault.yml before pushing.

How to prevent it

  • Store the vault password as a CI secret and inject it via --vault-password-file.
  • Use consistent --vault-id labels across the repo.
  • Rekey all encrypted files together when rotating the vault password.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →