Ansible Vault "input is not vault encrypted data" in CI
Ansible found a !vault value but the ciphertext is malformed - wrong indentation from encrypt_string, a truncated block, or a value that was never actually encrypted - so it cannot parse it as vault data.
What this error means
A run fails with input is not vault encrypted data pointing at a variable, even though the vault password is correct. The failure is structural - the encrypted block itself is broken - so it reproduces every run regardless of the password.
ERROR! input is not vault encrypted data for variable db_password
found in group_vars/prod/secrets.ymlCommon causes
Malformed encrypt_string output
ansible-vault encrypt_string output pasted with wrong indentation, or missing the !vault | header and the leading $ANSIBLE_VAULT;... line, makes the block unparseable.
Partially decrypted or corrupted file
A file edited after a partial decrypt, a merge conflict in the ciphertext, or trailing whitespace breaks the structure so it is no longer valid vault data.
How to fix it
Regenerate the encrypted value cleanly
Re-encrypt the value and paste the full block with correct YAML indentation.
ansible-vault encrypt_string 's3cr3t' --name 'db_password'
# paste the ENTIRE output, including the "!vault |" line and indentationValidate the vault structure
- Confirm the block starts with
!vault |and the next line is$ANSIBLE_VAULT;1.1;AES256. - Check indentation - every ciphertext line must be indented consistently under the key.
- Round-trip with
ansible-vault view file.ymlto prove the file parses.
How to prevent it
- Paste
encrypt_stringoutput verbatim, preserving the header and indentation. - Never hand-edit ciphertext; re-encrypt instead.
- Add a CI step that runs
ansible-vault viewto validate encrypted files.