Since version 1.7, Ansible allows the vault password file to be a script, which made me think that it should be able to make this work with the macOS keychain. And so I did:
~/.bin/ansible-vault-pass with the following content:
#!/bin/sh NAME=$(basename "$PWD" | sed -e 's/ /-/g') security find-generic-password -a ansible_vault_$NAME -w
And made it executable:
chmod +x ~/.bin/ansible-vault-pass
Configured ansible in
[defaults] vault_password_file = ~/.bin/ansible-vault-pass
And added a password for my vault to the keychain:
security add-generic-password -a ansible_vault_my-project -s ansible -w P4ssw0rd
The "account" (
-a) of the password is
ansible_value_ combined with the directory name from which the Ansible command was invoked. I'm still thinking about maybe a username file in the directory to prevent any directory renames and such.
And now I can run all my Ansible commands without ever entering my password 🎉.