This project provides an installable version of the original community script vault-keyring-client.py for Ansible, allowing you to manage vault passwords using your OS's native keyring application.
The vault-keyring-client is a CLI tool to store and retrieve Ansible vault passwords in the keyring. This version is implemented using typer for a modern CLI interface, making it easy to use and extend.
To install the vault-keyring-client, you can use Poetry:
poetry add git+https://git@github.com/jakob1379/vault-keyring-client.git#main$ vault-keyring-client [OPTIONS]Options:
--vault-id TEXT: Name of the vault secret to get from keyring.--username TEXT: The username whose keyring is queried.--set: Set the password instead of getting it.--install-completion: Install completion for the current shell.--show-completion: Show completion for the current shell, to copy it or customize the installation.--help: Show this message and exit.
This project is based on the original vault-keyring-client.py script contributed by Matt Martz and Justin Mayer. The original script can be found in the Ansible Community's contrib-scripts repository:
Original vault-keyring-client.py script
The script is designed to work with Ansible, making your playbooks more efficient by eliminating the need to manually enter become_pass for each host. Follow these steps to set it up:
-
Create an Entry: First, create an entry with
vault-keyring-client --set --vault-id my_vault_id. -
Configure Ansible: To make Ansible automatically try the passwords stored in your keyring, add the following to your
.envrcor manually source your.envfile:export ANSIBLE_VAULT_IDENTITY_LIST="my_vault_id@$(poetry run which vault-keyring-client),my_other_vault_id@$(poetry run which vault-keyring-client)"
-
Create a Secure Vault: Create a vault file outside of your repository to avoid accidental commits. Store it in a safe location, for example,
~/.become_passwords. Structure the key-value pairs asbecome_pass_<hostname>: "mytopsecret_host_password". Encrypt the file using:ansible-vault encrypt --encrypt-vault-id my_vault_id <path_to_vault>
-
Update Playbooks: Add the following configuration to your playbooks to use the stored passwords:
- name: Playbook that does not require manual sudo passwords hosts: amazing_host become: true vars: ansible_become_password: "{{ lookup('vars', 'become_pass_' + inventory_hostname) }}" vars_files: - ~/.become_passwords.yml roles: - users
When you run the playbook, Ansible will try all keys in the
VAULT_IDENTITY_LISTin order and use the correct one to unlock~/.become_passwords, matching the password with the hostname.
This project is licensed under the GNU General Public License v3.0 or later. See the LICENSE file for details.