Ansible lookup plugin throws TypeError: encoding without a string argument

I’m trying to use the anatomicjc.passbolt collection in our Ansible setup. We use Ansible in combination with AWX and have the collection as well as py-passbolt installed in the AWX Ansible Execution Environment.
The URL/Private key and pasphrase are set up as a Credential type within AWX, which exposes those strings as environment variables during the run of the playbook.

My playbook looks like this:

 name: Test passbolt lookup plugin
  hosts: localhost
  gather_facts: no
    - name: check environment
        msg: |
          PASSBOLT_BASE_URL: {{ lookup('ansible.builtin.env', 'PASSBOLT_BASE_URL') }}
          PASSBOLT_PRIVATE_KEY: {{ lookup('ansible.builtin.env', 'PASSBOLT_PRIVATE_KEY') }}
          PASSBOLT_PASSPHRASE: {{ lookup('ansible.builtin.env', 'PASSBOLT_PASSPHRASE') }}
    - name: Lookup predefined resource
        msg: "Password is: {{ lookup('anatomicjc.passbolt.passbolt', 'Ansible predefined test resource').password }}"


ansible-playbook [core 2.15.0]
  config file = None
  configured module search path = ['/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /runner/requirements_collections:/runner/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.9.18 (main, Sep  7 2023, 00:00:00) [GCC 11.4.1 20230605 (Red Hat 11.4.1-2)] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True
No config file found; using defaults
Vault password: 
host_list declined parsing /runner/inventory/hosts as it did not pass its verify_file() method
Parsed /runner/inventory/hosts inventory source with script plugin
Skipping callback 'awx_display', as we already have a stdout callback.
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: passbolt-test.yml ****************************************************
1 plays in passbolt-test.yml

PLAY [Test passbolt lookup plugin] *********************************************

TASK [check environment] *******************************************************
task path: /runner/project/passbolt-test.yml:6
ok: [localhost] => {

TASK [Lookup predefined resource] **********************************************
task path: /runner/project/passbolt-test.yml:12
exception during Jinja2 execution: Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/ansible/template/", line 831, in _lookup
    ran =, variables=self._available_variables, **kwargs)
  File "/usr/share/ansible/collections/ansible_collections/anatomicjc/passbolt/plugins/lookup/", line 278, in run
    self.passbolt_init(variables, kwargs)
  File "/usr/share/ansible/collections/ansible_collections/anatomicjc/passbolt/plugins/lookup/", line 248, in passbolt_init
    self.p = PassboltAPI(dict_config=self.dict_config)
  File "/usr/local/lib/python3.9/site-packages/passbolt/", line 28, in __init__
    self.key, _ = PGPKey.from_blob(self.config.get("private_key"))
  File "/usr/local/lib/python3.9/site-packages/pgpy/", line 195, in from_blob
    po = obj.parse(bytearray(blob, 'latin-1'))
TypeError: encoding without a string argument
fatal: [localhost]: FAILED! => {
    "msg": "An unhandled exception occurred while running the lookup plugin 'anatomicjc.passbolt.passbolt'. Error was a <class 'TypeError'>, original message: encoding without a string argument. encoding without a string argument"

PLAY RECAP *********************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

As you can see, the environment variables are set and readable by ansible.builtin.env (replaced sensitive strings here for posting). But somehow it seems not to be picked up correctly by anatomicjc.passbolt or py-passbolt as the error tells me that the passed blob coming from self.config.get("private_key") is not a string?

Any idea what could be going wrong here ?

Hi @Robinr :wave:

Thanks for trying out this lookup plugin.

Can you try to add an environment section in your playbook like this:

 name: Test passbolt lookup plugin
    PASSBOLT_BASE_URL: "{{ lookup('ansible.builtin.env', 'PASSBOLT_BASE_URL') }}"
    PASSBOLT_PRIVATE_KEY: "{{ lookup('ansible.builtin.env', 'PASSBOLT_PRIVATE_KEY') }}"
    PASSBOLT_PASSPHRASE: "{{ lookup('ansible.builtin.env', 'PASSBOLT_PASSPHRASE') }}"
  hosts: localhost
  gather_facts: no

I’m not sure it will solve your problem as the error message is encoding without a string argument.

If your PASSBOLT_PRIVATE_KEY is encrypted with ansible-vault, maybe could you add a | string Jinja2 filter, like this:

 name: Test passbolt lookup plugin
    PASSBOLT_BASE_URL: "{{ lookup('ansible.builtin.env', 'PASSBOLT_BASE_URL') }}"
    PASSBOLT_PRIVATE_KEY: "{{ lookup('ansible.builtin.env', 'PASSBOLT_PRIVATE_KEY') | string }}"
    PASSBOLT_PASSPHRASE: "{{ lookup('ansible.builtin.env', 'PASSBOLT_PASSPHRASE') }}"
  hosts: localhost
  gather_facts: no

I usually add this | string filter to vaulted variables.

Here is an example:

    pwd: !vault |
    pwd_salt: !vault |

  uid: "1000"
  createhome: "yes"
  group: "user1"
  password: "{{ users_pwd.user1.pwd | string | password_hash('sha512', }}"
    - "docker"

Hope this helps,

Hi @AnatomicJC, Thanks for your reply…
Unfortunately adding the environment section makes no difference, neither does adding the | string filter (despite the values in the OS environment not being vaulted; but I tried to be sure).

I have also tried defining the variables inside Ansible inventory as vaulted strings, instead of using the OS environment variables. But also to no avail; I always keep getting the exact same error: “encoding without a string argument”.

On the other hand, I have been using username/password authentication through OS environment variables already on the community.vmware collection which gives the choice to authenticate using module parameters or OS environment variables VMWARE_HOST, VMWARE_USER, VMWARE_PASSWORD. And there I never had any trouble to have the collection use those OS env variables (also without environment: block in the plays, just the variables present in the OS env). So I’m assuming it has nothing to do with the AWX Ansible Execution Environment setup.

I’m not very experienced with Python, but I checked the code of the community.vmware collection. And they seem to be using ansible.module_utils.common.parameters.env_fallback in while you seem to implement your own fallback to environment method (while I don’t immediately see where it could be going wrong in your implementation, it may be better to use the built-in method?).

I had a look at your error, I would say you private key is not stored in an expected format for the pgpy library.

The private key is read from there in the passbolt-py library:

And this method from PGPy is invoked:

Some hints:

In /usr/local/lib/python3.9/site-packages/passbolt/ near line 28, you can try to add some debug like printing type of self.config.get("private_key"), I am interested by the result here:


Did you read the last section of the readme about how to format private key for environment variables: GitHub - passbolt/lab-passbolt-py: Python library for Passbolt API

As an alternative to environment variable, maybe can you try to store the private key in ansible inventory and encrypt it with ansible-vault, as I did here: lab-passbolt-ansible-poc/playbooks/example-playbook.yml at main · passbolt/lab-passbolt-ansible-poc · GitHub

On my side, I will try to setup an AWX instance and try to reproduce your issue.

I will let you know.

After adding the debug code you provided I found out the type of the private_key variable is:

<class 'ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode'>

Which didn’t add up as there is currently no vaulted string in the play nor the environment. So I investigated further and found out that somehow AWX didn’t overwrite it’s internal list of host/group vars when syncing from the inventory source (while it is set to actually do so) and there was still a leftover definition of those PASSBOLT_ vars from previous tests which where no longer present in the inventory source. Hence my confusion.

Anyway, I have now cleared those definitions from the AWX internal inventory and now I have this as type for the string:

<class 'ansible.utils.unsafe_proxy.NativeJinjaUnsafeText'>

And the error changed into:

Error was a <class 'ValueError'>, original message: Expected: ASCII-armored PGP data.

Not sure about the error, I removed the environment: block from the play hoping that the lookup plugin would just take the OS environment variables as originally intended.
The type now has changed to:

<class 'str'>

which looks perfect to me :slight_smile:

But the play still fails with the error Expected: ASCII-armored PGP data.
So it seems now the problem is actually the formatting of the key.

For that I did follow the procedure and executed sed -z 's/\n/\\n/g' passbolt-recovery-kit.txt to get the required string.
This string is formatted like this:


I finally solved it.
It turned out I had to define the AWX credential field for the private key as a “multiline” field and paste the private key as is (without newline conversion) into the field. AWX then automatically replaces all newlines to “\n” when putting it into an OS environment variable of the Execution Environment container.

As a result I now get this output:

TASK [Lookup predefined resource] **********************************************
task path: /runner/project/passbolt-test.yml:16
<class 'str'>
/usr/local/lib/python3.9/site-packages/pgpy/ CryptographyDeprecationWarning: IDEA has been deprecated
  bs = {SymmetricKeyAlgorithm.IDEA: algorithms.IDEA,
/usr/local/lib/python3.9/site-packages/pgpy/ CryptographyDeprecationWarning: CAST5 has been deprecated
  SymmetricKeyAlgorithm.CAST5: algorithms.CAST5,
/usr/local/lib/python3.9/site-packages/pgpy/ CryptographyDeprecationWarning: Blowfish has been deprecated
  SymmetricKeyAlgorithm.Blowfish: algorithms.Blowfish,
ok: [localhost] => {
    "msg": "Password is: MH6-%M32k=TV=r'-J)"

(no wories, password is not used anywhere and is just generated as a test entry)

I assume I can ignore those warnings.

For sake of completeness and in case you want to add this to the documentation of the plugin. To be able to use the plugin with AWX, these are the steps you have to perform:

  • Build a custom AWX Execution Environment using Ansible Builder:
    • add
      to requirements.txt
    • add
          - name: anatomicjc.passbolt
      to requirements.yml
  • Add a new Custom Credential Type to AWX:
    • Name: Passbolt Credentials
    • Description: Passbolt credentials for accessing Passbolt
    • Configuration input:
      - id: passbolt_url
        type: string
        label: Passbolt Base URL
      - id: passbolt_private_key
        type: string
        label: Passbolt Private GPG Key
        secret: true
        multiline: true
      - id: passbolt_passphrase
        type: string
        label: Passbolt Private GPG Key Passphrase
        secret: true
      - passbolt_url
      - passbolt_private_key
      - passbolt_passphrase
    • Configuration injector:
        PASSBOLT_BASE_URL: '{{ passbolt_url }}'
        PASSBOLT_PASSPHRASE: '{{ passbolt_passphrase }}'
        PASSBOLT_PRIVATE_KEY: '{{ passbolt_private_key }}'
  • Add a new credential of the type Passbolt Credentials to AWX:
    • Set the url and passphrase
    • Upload or paste the contents of the Private key file into the Passbolt Private GPG Key field without any modifications
  • Create or update an AWX template to use the custom EE and add the above defined Passbolt Credentails. The playbook executed by this template will now have access to passbolt using the lookup plugin.


Many thanks for this documentation @Robinr

I pushed a new release including your documentation:



@AnatomicJC, thanks, but I noticed a small error/typo. I submitted a new pull request to fix it :slight_smile:

Thanks, I merged it