Last Updated: September 30, 2021
· koen

Use macOS keychain for Ansible vault passwords

Since version 1.7, Ansible allows the vault password file to be a script, which made me think that it should be able to make this work with the macOS keychain. And so I did:

I created ~/.bin/ansible-vault-pass with the following content:

NAME=$(basename "$PWD" | sed -e 's/ /-/g')
security find-generic-password -a ansible_vault_$NAME -w

And made it executable:

chmod +x ~/.bin/ansible-vault-pass

Configured ansible in ansible.cfg:

vault_password_file = ~/.bin/ansible-vault-pass

And added a password for my vault to the keychain:

security add-generic-password -a ansible_vault_my-project -s ansible -w P4ssw0rd

The "account" (-a) of the password is ansible_value_ combined with the directory name from which the Ansible command was invoked. I'm still thinking about maybe a username file in the directory to prevent any directory renames and such.

And now I can run all my Ansible commands without ever entering my password 🎉.