Problem
I wanted to use the macOS keychain with Ansible vault and tried the method in Jeff Ramnani's post.
For me, though, declaring vault_password_file in a user Ansible config file didn't work. I'm using ansible.cfg files in the directories of different projects, and due to Ansible's precedence, my user config file is being ignored.
Solution
The solution was to pass vault_password_file into Ansible using the ANSIBLE_VAULT_PASSWORD_FILE environment variable.
Here's the technique
- As in Jeff's post:
- Create a keychain item that contains the password.
- Create your executable vault password script.
- However, you do not need to edit
.ansible.cfgor other Ansible config files.
- In your
~/.bashrcfile, defineANSIBLE_VAULT_PASSWORD_FILEto the path of the password script. Of course, if you're using another shell, define the environment variable as appropriate for that shell.For example:
export ANSIBLE_VAULT_PASSWORD_FILE="${HOME}/bin/vault_password_file.sh"