Ansible vault pass script

2021, Nov 29    

Ansible supports the notion of vaults, ie. encrypted files, that is decrypted on-the-fly. It support both for playbooks and for vars-files - we focus on the latter.

The official documentation is here

Plain file secret

Make a file with the password and use --vault-password-file <file> to give ansible access to the file.

Scripted

The specific documentation is here

  1. Create a file called *-client.sh, *-client.py or something similar
  2. Make it return the password on stdout
  3. make it executable
  4. Specify it the same way as with the plaint text file.--vault-password-file <file>

It has the nice advantage that the script can pull secrets from where ever, like other password vaults, APIs, plain text files and so on.

Ansible support --vault-id which acts as a selector, and the scripts will get the vault id as parameter.

An example script is on gitlab.

To use in ansible.fg, add

[defaults]
vault_identity_list = id_A@secrets-client.sh,id_B@secrets-client.sh

if id is omitted, the secret named default is used.

Update 220422: add ansible.cfg comment and fix bug in gist.

Share on Twitter
# Ansible # Vault # Secrets