Use macOS keychain for Ansible vault passwords
Since version 1.7, Ansible allows the vault password file to be a script, which made me think that it should be able to make this work with the macOS keychain. And so I did:
I created ~/.bin/ansible-vault-pass
with the following content:
#!/bin/sh
NAME=$(basename "$PWD" | sed -e 's/ /-/g')
security find-generic-password -a ansible_vault_$NAME -w
And made it executable:
chmod +x ~/.bin/ansible-vault-pass
Configured ansible in ansible.cfg
:
[defaults]
vault_password_file = ~/.bin/ansible-vault-pass
And added a password for my vault to the keychain:
security add-generic-password -a ansible_vault_my-project -s ansible -w P4ssw0rd
The "account" (-a
) of the password is ansible_value_
combined with the directory name from which the Ansible command was invoked. I'm still thinking about maybe a username file in the directory to prevent any directory renames and such.
And now I can run all my Ansible commands without ever entering my password 🎉.
Written by Koen Punt
Related protips
Have a fresh tip? Share with Coderwall community!
Post
Post a tip
Best
#Ansible
Authors
Misha Behersky
78.97K
tartansandal
73.31K
Sponsored by #native_company# — Learn More
#native_title#
#native_desc#