monotux.tech

Better Ansible Vault passphrase management

Ansible, Secrets

I used to manage my Ansible vault passphrase like a plain textfile – like a caveman! In this post I will give some alternatives that are less terrible than my starting point.

Table of Contents

Basic setup #

I keep a file called ansible.cfg.default in my git repository, in which I track my default Ansible configuration. I’ve also added ansible.cfg to my .gitignore to be able to have slightly different configuration files on different systems, like when using different secret storage backends on different OS.

The file looks something like this:

[defaults]
ansible_user = root
log_path = ansible.log
roles_path = ~/.ansible/roles:roles
vault_password_file = ./.vault_pass

That last line, vault_password_file is how I’ve chosen to implement support for using different backends. I’m tracking all files below in my homelab git repository.

kwallet #

As I’m experimenting with Asahi Fedora Remix on my Macbook Air, I’m using Plasma again so using kwallet is my first example.

Using kwalletmanager5 I created a new folder called ansible in my default wallet (default name is kdewallet). Inside that folder I created a password entry called vault which just contained my vault password.

Then I created vault-kwallet.sh and made it executable.

#!/bin/bash

kwallet-query -r vault kdewallet -f ansible

Finally, change ansible.cfg to use this:

[default]
# ...
vault_password_file = ./vault-kwallet.sh

macOS wallet #

Same principle here, create a password in the macOS Keychain.app:

$ security add-generic-password -a oscar -s ansible-vault-lab -w
password data for new item:
retype password for new item:

Save below as vault-macos.sh:

#!/bin/sh

/usr/bin/security find-generic-password -a oscar -s ansible-vault-homelab -w

Change ansible.cfg to something like this:

[default]
# ...
vault_password_file = ./vault-macos.sh

GNOME keyring #

To store your secret in the gnome keyring/secret-tool, and yes setting a label is required!

$ secret-tool store --label=ansible ansible vault
Password:

Save below as vault-secret-tool.sh:

#!/bin/sh

secret-tool lookup ansible vault

And finally, make Ansible use it:

[default]
# ...
vault_password_file = ./vault-secret-tool.sh

Windows #

¯\_(ツ)_/¯