Using Mac Keychain with Ansible Vault

May 30, 2018 - 8:16am


I wanted to use the macOS keychain with Ansible vault and tried the method in Jeff Ramnani's post.

For me, though, declaring vault_password_file in a user Ansible config file didn't work. I'm using ansible.cfg files in the directories of different projects, and due to Ansible's precedence, my user config file is being ignored.


The solution was to pass vault_password_file into Ansible using the ANSIBLE_VAULT_PASSWORD_FILE environment variable.

Here's the technique

  1. As in Jeff's post:
    • Create a keychain item that contains the password.
    • Create your executable vault password script.
    • However, you do not need to edit .ansible.cfg or other Ansible config files.
  2. In your ~/.bashrcfile, define ANSIBLE_VAULT_PASSWORD_FILE to the path of the password script. Of course, if you're using another shell, define the environment variable as appropriate for that shell.

    For example:


Add new comment