Use ansible-lint with Vault Files #

Why I wrote this post #

I decided to write this post because I struggled to find clear, practical examples of how to make ansible-lint work with Ansible Vault files in CI/CD environments. While searching for solutions, I found a GitHub discussion where someone was asking the exact same question I had.

The official ansible-lint documentation mentions that decrypting Ansible Vault in CI is possible, but frustratingly, it doesn’t provide any actual examples of how to implement it. After some trial and error, I figured out a working solution that I want to share.

The Problem #

If you’ve ever tried to run ansible-lint in CI/CD on playbooks that use Ansible Vault, you’ve probably encountered this error:

ERROR! Attempting to decrypt but no vault secrets found

The Solution #

Step 1: Create ansible.cfg #

In your repository root, create an ansible.cfg file:

[defaults]
vault_password_file = /home/gitlab-runner/.ANSIBLE_VAULT_PASSWORD_FILE

Step 2: Vault password file #

On your CI runner, create the password file:

echo "your_vault_password" > /home/gitlab-runner/.ANSIBLE_VAULT_PASSWORD_FILE
chmod 600 /home/gitlab-runner/.ANSIBLE_VAULT_PASSWORD_FILE
chown gitlab-runner:gitlab-runner /home/gitlab-runner/.ANSIBLE_VAULT_PASSWORD_FILE

Step 3: Create the CI #

Your GitLab CI job becomes beautifully simple:

ansible-lint:
  stage: lint
  script:
    - ansible-lint playbooks/

That’s it!