Vault-encrypted passwords not decrypting in config files with Ansible 2.19+ #696
Description
Vault-encrypted passwords not decrypting in config files with Ansible 2.19+
Description
When using Ansible 2.19+ (tested with 2.20.0), vault-encrypted passwords referenced in datadog_checks are written to Datadog configuration files as encrypted vault blocks instead of being decrypted to plaintext.
Environment
- Ansible version: 2.20.0 (ansible-core)
- ansible-datadog role version: Latest from Ansible Galaxy
- Operating System: Linux (Ubuntu/Debian tested, likely affects all platforms)
- Python version: 3.14.0
Steps to Reproduce
- Create a vault-encrypted password variable in group_vars or host_vars:
my_service_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
[encrypted data]- Reference the encrypted variable in
datadog_checks:
datadog_checks:
service_check:
instances:
- host: localhost
port: 1234
password: "{{ my_service_password }}"- Run the playbook with vault password:
ansible-playbook -i inventory playbook.yml --ask-vault-pass --tags datadog- Check the generated configuration file at
/etc/datadog-agent/conf.d/service_check.d/conf.yaml
Expected Behavior
The password field in the configuration file should contain the decrypted plaintext password:
password: "my_actual_password"Actual Behavior
The password field contains the full encrypted vault block:
password: |
$ANSIBLE_VAULT;1.1;AES256
36383239623737303766623762303965383038356133323235303035343164333961626262666666
3437343764343162363736663639643037656231656238630a363166393530653739646465356234
...Root Cause
Starting in Ansible 2.19, there was an intentional breaking change in how vault-encrypted values are handled. Vault values are now stored as "string subclasses with a tag containing the source ciphertext." When the to_nice_yaml filter (used in templates/checks.yaml.j2:3) serializes the datadog_checks dictionary, it preserves the vault tag by design to prevent accidental loss of vault metadata.
This is confirmed as expected behavior in Ansible 2.19 as a security improvement for YAML round-trippability.
References:
- Inconsistent rendering of vaulted inline vs. file vaulted variables ansible/ansible#85722
- https://forum.ansible.com/t/vault-encrypted-strings-no-longer-decrypting-through-to-yaml-after-2-19-upgrade/44321
Workaround
Force decryption before the value enters datadog_checks by using string concatenation:
# Create intermediate variable with forced decryption
my_service_password_decrypted: "{{ my_service_password ~ '' }}"
datadog_checks:
service_check:
instances:
- host: localhost
port: 1234
password: "{{ my_service_password_decrypted }}"The ~ '' (concatenate with empty string) strips the vault tag and forces decryption before YAML serialization occurs.