ansibleansible-vault

How can I avoid ask-vault-pass parameter on Ansible?

I would like to do something like

ansible-playbook myPlaybook.yml -i myHostFile

instead of

ansible-playbook myPlaybook.yml -i myHostFile --ask-vault-pass
Solution

  • Your requirement is not clear. Following my comments, this answer is a specific example of how to secure your vault passwords inside your gnome linux session keyring using the vault-keyring-client.py script provided by ansible community contribs (hoping it will give you some ideas of how to fix the problem in your specific case).

    1. Make sure you have the required dependencies to run the script 
      pip install keyring
    2. Install the contrib script somewhere in your path (the given path is just an example, use one suited to your situation) 
      cd $HOME/bin
curl -o vault-keyring-client https://raw.githubusercontent.com/ansible-community/contrib-scripts/main/vault/vault-keyring-client.py
chmod 0700 vault-keyring-client
    3. Create your vault id passwords in your session keystore using the script. The password is asked interactively and stored. You can see the password entries browsing the login keyring after launching seahorse (i.e. "Passwords and keys"). 
      vault-keyring-client --set --vault-id yourid1
vault-keyring-client --set --vault-id yourid2
    4. Configure ansible to use that script for those ids. If an encrypted content is found without an id, they will be tried in order. You probably want to define a default id to encrypt the content. Add the following lines to your .bashrc (or whatever shell you use...) 
      export ANSIBLE_VAULT_IDENTITY_LIST=yourid1@$HOME/bin/vault-keyring-client,yourid2@$HOME/bin/vault-keyring-client
export ANSIBLE_VAULT_ENCRYPT_IDENTITY=yourid1
    5. Encrypt some content 
      # using the default encrypt vault-id
ansible-vault encrypt somefile
ansible-vault encrypt_string "somestring"
# using an other vault-id than default
ansible-vault encrypt --encrypt-vault-id yourid2 somefile
ansible-vault encrypt_string --encrypt-vault-id yourid2 "somestring"
    6. You can now use any playbook or adhoc command in need of a configured vault password from your openned session without having to provide it interactively 
      ansible-playbook -i your_inventory your_playbook
ansible-playbook -i your inventory somehost -m debug -a "msg={{ some_encrypted_var }}"