How to Properly Integrate Ansible Vault Files with Ansible Tower Inventory Sync


5 views

When attempting to import existing Ansible inventories containing vault-encrypted files into Ansible Tower 3.2.0, you'll notice the Vault credential isn't available for selection in the "Source Details" section. This occurs specifically with "Sourced from a Project" inventory sources.

The error message ERROR! Attempting to decrypt but no vault secrets found indicates Tower's inventory importer isn't properly passing the vault credential during the sync operation. The key observations from the debug output:

1.755 DEBUG    Running from /var/lib/awx/projects/_6__ansible_master/inventories/test working directory.
Traceback (most recent call last):
RuntimeError: ansible-inventory failed (rc=4) with stdout:
stderr:
ERROR! Attempting to decrypt but no vault secrets found

Here's the proper workflow to make vault-encrypted inventories work:

  1. First, create a Machine Credential containing your vault password: 
    # In Tower UI:
1. Navigate to Credentials -> Add
2. Type: Machine
3. Name: "Vault Password"
4. Under "PRIVILEGE ESCALATION":
   - Privilege Escalation Method: "Sudo"
   - Privilege Escalation Username: (leave blank)
5. Under "VAULT CREDENTIAL":
   - Vault Password: [your_vault_password]
   - Vault Identifier: (leave as default)
  2. For the inventory source configuration: 
    1. Create/Edit Inventory -> Sources -> Add
2. Source: "Sourced from a Project"
3. Select your project
4. Inventory file: [path_to_your_hosts_file]
5. Under "CREDENTIAL":
   - Select the Machine credential containing vault password
6. Save and sync

If you prefer using a vault password file instead of storing the password in Tower:

# Create ansible.cfg in your project root:
[defaults]
vault_password_file = .vault_pass

# Make sure the file exists in your project:
echo "your_vault_password" > .vault_pass

The key is ensuring the file is in the correct relative path where the inventory sync executes from.

If issues persist, try these troubleshooting steps:

# Manually test vault decryption on Tower node:
sudo -u awx ansible-vault view /path/to/encrypted/file \
--vault-password-file=/path/to/vault_pass

# Verify file permissions:
ls -la /var/lib/awx/projects/_your_project_/
chmod 600 .vault_pass  # if permissions are too open

Remember that Tower runs commands as the 'awx' user, so all paths and permissions must be valid for this user.

When migrating from standalone Ansible to Ansible Tower (now called AWX in open-source versions), one particularly tricky aspect is handling encrypted inventory variables. The error message ERROR! Attempting to decrypt but no vault secrets found indicates Tower isn't properly accessing your vault credentials during inventory sync.

The core problem stems from how Tower handles credential assignment for different source types:

  • Sourced from Project inventories can't directly associate vault credentials
  • The credential selection dropdown only appears for certain source types like SCM
  • Tower expects vault passwords to be available at runtime

Method 1: Using a Custom Credential Type

Create a custom credential type that injects the vault password:

---
name: Custom Vault Credential
description: Injects vault password for inventory sync
inputs:
  fields:
    - id: vault_password
      type: string
      label: Vault Password
      secret: true
  required:
    - vault_password
injectors:
  env:
    ANSIBLE_VAULT_PASSWORD: "{{ vault_password }}"

Method 2: Project-based Vault Solution

Place your vault password file in the project root and configure ansible.cfg:

[defaults]
vault_password_file = ./vault_pass.txt

Then make sure your project sync includes the password file:

.
├── ansible.cfg
├── inventories/
│   └── production/
│       ├── hosts
│       └── group_vars/
│           └── all.yml (encrypted)
└── vault_pass.txt

When troubleshooting, check these Tower log locations:

  • /var/log/tower/tower.log - Main Tower service logs
  • /var/log/supervisor/ - Process supervision logs
  • Job output via Tower UI (most detailed for inventory sync)

For a maintainable solution, consider:

  1. Creating a dedicated "Vault Management" project that contains all encrypted files
  2. Using the ansible-vault CLI to rekey files when rotating passwords
  3. Implementing a credential rotation workflow

Example of how to rekey vault files when changing passwords:

# Export old and new passwords
export OLD_VAULT_PASS=old_password.txt
export NEW_VAULT_PASS=new_password.txt

# Rekey all vault files
find . -name "*.vault" -exec ansible-vault rekey \
  --vault-id $OLD_VAULT_PASS \
  --new-vault-id $NEW_VAULT_PASS {} \;