Hello,
I’ve constructed some Ansible playbooks on a Linux control machine, a machine to which Octopus Deploy connects as an SSH target (fully healthy). For sensitive ansible variables, i’ve encrypted them via Ansible Vault (same password) and have stored this password as a persistent environment variable on the Linux target machine for the user that Octopus leverages when it uses SSH to login. With that user, this is proven to work with $echo as it prints to screen in cleartext. Next, i’ve created a basic Python script with the os library to print the environment variable’s value in cleartext so it can be used to decrypt Ansible sensitive variables at the time of ansible command line execution, example below:
Command:
ansible-playbook -i <inventory.yml> playbooks/example_playbook.yml --vault-password-file vault-pass.py
When the above command is executed manually, it works fine. When I create a release to execute this same command, Ansible complains with the following (as seen on the Octopus Release ‘Raw Log’):
FAILED! => {“msg”: “Decryption failed (no vault secrets were found that could decrypt)”}
Setup
Octopus Deploy: v.2018.5.1
Linux control server: Ubuntu 20.04.3 LTS
Python version (linux server): 3.9.5
Octopus Release Step type: 'Run a script → Script Content → Bash
Script content:
…
source ~/.bashrc
cd ~/network (this is a symlink that works fine)
ansible-playbook -i environment/inv.yml -l lab playbooks/backup_configuration.yml --vault-password-file vault-pass.py (*note the vault-pass.py file is executable)
…
The environment variable ‘ansible_vault_pass’ is exported in the user’s .bashrc file as follows:
export ansible_vault_pass=“password”
When Octopus logs in during the release and it executes its ‘Script.sh’ in what appears to be a temporary working folder: /home/user/.octopus/OctopusServer/Work//Script.sh, it’s like it cannot see the environment variable if it is, in fact, truly executing the commands i give it on the Release step.
Any ideas and/or help will be greatly appreciated.
Thank you.