Vault variables not expanded under scrape config

[AlistairMaccallum]

When using encrypted vault variables in the prometheus_scrape_configs variables they do not populate to the decrypted vars they use the vault string instead.

e.g

# host vars

prometheus_scrape_configs:
  - job_name: test
    basic_auth:
      username: admin
      password: "{{ vault_encrypted_pass }}"
    static_configs:
      - targets:
          - target1

Even when "pre-decrypting" the var into another var the same thing happens

# host vars

prometheus_scrape_configs:
  - job_name: test
    basic_auth:
      username: admin
      password: "{{ plain_pass }}"
    static_configs:
      - targets:
          - target1

plain_pass: "{{ vault_encrypted_pass }}"

Ansible version

ansible [core 2.20.0]
  python version = 3.12.3 (main, Nov  6 2025, 13:44:16) [GCC 13.3.0]
  jinja version = 3.1.6
  pyyaml version = 6.0.3 (with libyaml v0.2.5)

prometheus.prometheus                    0.27.3

[pgassmann]

This is a change in newer ansible version in the to_nice_yaml filter. ansible/ansible#85722

You need to workaround with community.general.to_nice_yaml instead of the builtin to_nice_yaml, which resolves the vaulted content.

"pre-decrypting" does not change anything, it is just passed through. the new ansible version store some metadata with variables and strings.

[swb1systems]

The problem is the | to_nice_yaml(indent=2,sort_keys=False) in prometheus.yml.j2. More specifically, the indent=2 breaks the encryption. This is easily reproducible by trying to decrypt an indented secret in a text file on the command line – it won't work.

We use this workaround:

basic_auth:
  username: "{{ monitoring_mimir_user }}"
  password: "{{ monitoring_mimir_pwd | to_json(vault_to_text=True) | from_json }}"