Skip to content
Latchkey

Ansible Vault "input is not vault encrypted data" in CI

Ansible found a !vault value but the ciphertext is malformed - wrong indentation from encrypt_string, a truncated block, or a value that was never actually encrypted - so it cannot parse it as vault data.

What this error means

A run fails with input is not vault encrypted data pointing at a variable, even though the vault password is correct. The failure is structural - the encrypted block itself is broken - so it reproduces every run regardless of the password.

ansible output
ERROR! input is not vault encrypted data for variable db_password
found in group_vars/prod/secrets.yml

Common causes

Malformed encrypt_string output

ansible-vault encrypt_string output pasted with wrong indentation, or missing the !vault | header and the leading $ANSIBLE_VAULT;... line, makes the block unparseable.

Partially decrypted or corrupted file

A file edited after a partial decrypt, a merge conflict in the ciphertext, or trailing whitespace breaks the structure so it is no longer valid vault data.

How to fix it

Regenerate the encrypted value cleanly

Re-encrypt the value and paste the full block with correct YAML indentation.

Terminal
ansible-vault encrypt_string 's3cr3t' --name 'db_password'
# paste the ENTIRE output, including the "!vault |" line and indentation

Validate the vault structure

  1. Confirm the block starts with !vault | and the next line is $ANSIBLE_VAULT;1.1;AES256.
  2. Check indentation - every ciphertext line must be indented consistently under the key.
  3. Round-trip with ansible-vault view file.yml to prove the file parses.

How to prevent it

  • Paste encrypt_string output verbatim, preserving the header and indentation.
  • Never hand-edit ciphertext; re-encrypt instead.
  • Add a CI step that runs ansible-vault view to validate encrypted files.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →