why can't I view my file with ansible-vault?

Question

What am I doing wrong here?

$ ansible-vault encrypt_string --output ./example.yml --vault-password-file .vault_pass more
Encryption successful
$ ansible-vault view --vault-password-file .vault_pass example.yml
ERROR! input is not vault encrypted data. example.yml is not a vault encrypted file for example.yml

$ cat example.yml 
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          65366566626238336566363334613665653131636338643930643163643538396332376162393331
          6537353466653333326537656264393737356561353665300a306536393733363339636261303866
          65336637333965636231356437653935356139333864373237623033333466623938313865623539
          3536366534636538660a303563666439623761363531313961363235343339623061333832316638
          6530    

when I remove !vault | from the file I'm able to view it

$ cat example.yml
$ANSIBLE_VAULT;1.1;AES256
65366566626238336566363334613665653131636338643930643163643538396332376162393331
6537353466653333326537656264393737356561353665300a306536393733363339636261303866
65336637333965636231356437653935356139333864373237623033333466623938313865623539
3536366534636538660a303563666439623761363531313961363235343339623061333832316638
6530

View the file

ansible-vault view --vault-password-file .vault_pass example.yml
more

I would expect to view the view without modification.

Answer 1

The output of encrypt_string is meant to be used as the value in an ansible variable file (a key: value dictionary). That is, you would expect to see something like:

my_secret_value: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          63643836636439323039336366663038363734656632393364383065656235656261323933333666
          3732653061343536366334306431336232326561336430330a333731396233353032316235316238
          33393865313365303539326461383738323436376538616233663562336534353261653461623037
          3662343261623466660a613335646438366134653337636663373061666131343037303338303039
          3234

You would use this in a playbook like:

- hosts: localhost
  gather_facts: false
  tasks:
    - debug:
        msg: "my secret value is: {{ my_secret_value }}"

We would run the playbook like this:

ansible-playbook playbook.yaml -e @file_with_secret.yml --vault-pass-file .vault_pass

---

The ansible-vault view command is for viewing an encrypted file (that you create using the encrypt command), rather than a single encrypted value in an otherwise plaintext file:

$ echo this is a test| ansible-vault encrypt --vault-pass-file .vault_pass  > example.vault
$ ansible-vault view --vault-pass-file .vault_pass  example.vault
this is a test