Why could the encrypted Ansible files not be decrypted although the vault password file has been set?

Follow-up to this Q&A.

According to this and this documentation it should be possible to define a default vault password file by specifying vault_password_file = ~/.vault_pass.txt in one of the following files:

* ANSIBLE_CONFIG (an environment variable)
* ansible.cfg (in the current directory)
* .ansible.cfg (in the home directory)
* /etc/ansible/ansible.cfg

Although the password file exists and the log indicates that the ansible.cfg is used that contains the definition, the decryption fails:

user@host$
Using /etc/ansible/ansible.cfg as config file
ERROR! Decryption failed on /path/to/ansible/group_vars/production/vault

Discussion

-

Is the pass correct for this vault?

Yes. When ansible is run using --vault-password-file=~/.vault_pass.txt the decryption succeeds.

-

Just so that we're clear - the name of the environment variable is ANSIBLE_VAULT_PASSWORD_FILE, correct?

No. When this variable is used it works, but the aim is to set it in the ansible.cfg by setting /etc/ansible/ansible.cfg.

-

What Ansible version is used?

user@host:/dir$ ansible --version
ansible 2.2.2.0
    config file = /etc/ansible/ansible.cfg
    configured module search path = Default w/o overrides

-

Does using a full path in the config works?

The decryption failes as well when the full path instead of ~, i.e. /home/user/.vault_pass.txt was specified.

I found an issue with Ansible/Python causing a failure to decrypt.

Specifically, Ansible 2.7.10 and 2.7.13 under Python 3.6.8 on Ubuntu 18.04 would not decrypt (using ansible-vault edit -vvvvv) a vault file that was identical to file that decrypted OK on macOS 10.13 using Python 3.7.2 with same Ansible versions.

Upgrading to Python 3.7.3 on Ubuntu (using apt-get install python3.7 on 18.04) fixed this.

Your issue may be different, but if on Python 3.6 or lower, I would try upgrading to 3.7.

StackExchange DevOps Q#721, answer score: 2