diff --git a/lib/ansible/cli/vault.py b/lib/ansible/cli/vault.py index 246a29e1e46..086579c3337 100644 --- a/lib/ansible/cli/vault.py +++ b/lib/ansible/cli/vault.py @@ -63,21 +63,22 @@ class VaultCLI(CLI): self.options, self.args = self.parser.parse_args() self.display.verbosity = self.options.verbosity - if self.options.output_file: - if self.action not in ['encrypt','decrypt']: - raise AnsibleOptionsError("The --output option can be used only with ansible-vault encrypt/decrypt") + can_output = ['encrypt', 'decrypt'] + if self.action not in can_output: + if self.options.output_file: + raise AnsibleOptionsError("The --output option can be used only with ansible-vault %s" % '/'.join(can_output)) + if len(self.args) == 0: + raise AnsibleOptionsError("Vault requires at least one filename as a parameter") + else: # This restriction should remain in place until it's possible to # load multiple YAML records from a single file, or it's too easy # to create an encrypted file that can't be read back in. But in # the meanwhile, "cat a b c|ansible-vault encrypt --output x" is # a workaround. - if len(self.args) > 1: + if self.options.output_file and len(self.args) > 1: raise AnsibleOptionsError("At most one input file may be used with the --output option") - elif len(self.args) == 0: - raise AnsibleOptionsError("Vault requires at least one filename as a parameter") - def run(self): super(VaultCLI, self).run()