Using Mac Keychain with Ansible Vault

Submitted by kentr on 05/30/2018, 08:16

Problem

I wanted to use the macOS keychain with Ansible vault and tried the method in Jeff Ramnani's post.

For me, though, declaring vault_password_file in a user Ansible config file didn't work. I'm using ansible.cfg files in the directories of different projects, and due to Ansible's precedence, my user config file is being ignored.

Solution

The solution was to pass vault_password_file into Ansible using the ANSIBLE_VAULT_PASSWORD_FILEenvironment variable.

Here's the technique

  1. As in Jeff's post:
    • Create a keychain item that contains the password.
    • Create your executable vault password script.
    • However, you do not need to edit .ansible.cfg or other Ansible config files.
  2. In your ~/.bashrcfile, define ANSIBLE_VAULT_PASSWORD_FILE to the path of the password script.  Of course, if you're using another shell, define the environment variable as appropriate for that shell.

    For example:
     

    export ANSIBLE_VAULT_PASSWORD_FILE="${HOME}/bin/vault_password_file.sh"

     

Add new comment