Better Ansible Vault passphrase management
I used to manage my Ansible vault passphrase like a plain textfile – like a caveman! In this post I will give some alternatives that are less terrible than my starting point.
Table of Contents
Basic setup #
I keep a file called ansible.cfg.default
in my git repository, in
which I track my default Ansible configuration. I’ve also added
ansible.cfg
to my .gitignore
to be able to have slightly
different configuration files on different systems, like when using
different secret storage backends on different OS.
The file looks something like this:
[defaults]
ansible_user = root
log_path = ansible.log
roles_path = ~/.ansible/roles:roles
vault_password_file = ./.vault_pass
That last line, vault_password_file
is how I’ve chosen to implement
support for using different backends. I’m tracking all files below in
my homelab git repository.
kwallet #
As I’m experimenting with Asahi Fedora Remix on my Macbook Air, I’m using Plasma again so using kwallet is my first example.
Using kwalletmanager5
I created a new folder called ansible
in my
default wallet (default name is kdewallet
). Inside that folder I
created a password entry called vault
which just contained my vault
password.
Then I created vault-kwallet.sh
and made it executable.
#!/bin/bash
kwallet-query -r vault kdewallet -f ansible
Finally, change ansible.cfg
to use this:
[default]
# ...
vault_password_file = ./vault-kwallet.sh
macOS wallet #
Same principle here, create a password in the macOS Keychain.app:
$ security add-generic-password -a oscar -s ansible-vault-lab -w
password data for new item:
retype password for new item:
Save below as vault-macos.sh
:
#!/bin/sh
/usr/bin/security find-generic-password -a oscar -s ansible-vault-homelab -w
Change ansible.cfg
to something like this:
[default]
# ...
vault_password_file = ./vault-macos.sh
GNOME keyring #
To store your secret in the gnome keyring/secret-tool, and yes setting a label is required!
$ secret-tool store --label=ansible ansible vault
Password:
Save below as vault-secret-tool.sh
:
#!/bin/sh
secret-tool lookup ansible vault
And finally, make Ansible use it:
[default]
# ...
vault_password_file = ./vault-secret-tool.sh
Windows #
¯\_(ツ)_/¯