Skip to content
Latchkey

Ansible Vault "Decryption failed" (wrong password) in CI

Ansible had a vault secret and tried to decrypt the file, but the password did not match the one used to encrypt it, so the cipher check failed. This is a wrong-password error, not a missing-password error.

What this error means

The run fails with "ERROR! Decryption failed" naming the encrypted file. The secret exists in CI but its value is stale or for a different vault id.

ansible
ERROR! Decryption failed (no vault secrets were found that could decrypt) on
/runner/group_vars/prod/vault.yml

Common causes

The CI secret holds the wrong password

The vault password was rotated when the file was re-encrypted, but the CI secret still carries the old value.

A trailing newline or whitespace in the secret

A password written with an extra newline no longer matches the exact bytes used at encryption time.

How to fix it

Sync the secret with the current vault password

  1. Confirm which password decrypts the file locally.
  2. Update the CI secret to that exact value.
  3. Write it without a trailing newline using printf, not echo.
Terminal
printf '%s' "$VAULT_PASS" > .vault_pass
ansible-vault view group_vars/prod/vault.yml --vault-password-file .vault_pass

Use vault ids when multiple passwords exist

Label each vault password so the right one is selected per file instead of trying a single default.

Terminal
ansible-playbook site.yml \
  --vault-id prod@.vault_pass_prod \
  --vault-id dev@.vault_pass_dev

How to prevent it

  • Write vault passwords with printf so no newline is appended.
  • Update the CI secret whenever the vault password rotates.
  • Use --vault-id labels when more than one password is in play.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →