Skip to content

Instantly share code, notes, and snippets.

@toke

toke/ansible-vault-pass.bash

Last active October 24, 2021 21:38
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save toke/ebc49b7dd08d7b87e23921029176d3f5 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save toke/ebc49b7dd08d7b87e23921029176d3f5 to your computer and use it in GitHub Desktop.
Download ZIP
Small helper script for usage with ansible-vault and ansible-playbook together with pass https://www.passwordstore.org/ Two implementations: first in bash and anotger one in python, which should be better as the git config hack to get ini files may fail due to incompatibilities in git vs. ansible ini style. The bash version is kept for reference.
Raw
ansible-vault-pass.bash
#!/bin/bash
set -e
#
# Written by Thomas Kerpe <[email protected]> - Public Domain
#
# Small helper script for usage with ansible-vault and ansible-playbook
# together with [pass](https://www.passwordstore.org/)
#
# Say you have stored the vault-password for the current ansible playbook in pass
# under the name `ansible/demo/vault` then either add a .pass_path file with the content
# `ansible/demo/vault` or add a entry in the ansible.cfg:
# ```
# [pass]
# vault=ansible/demo/vault
# ```
# Now you can call ansible-vault-pass to get the password for the vault. It is especially useful
# like this:
# `ansible-playbook site.yml --vault-password-file ~/bin/ansible-vault-pass`
# or `ansible-vault edit --vault-password-file ~/bin/ansible-vault-pass example.yml`
# Even more practival: `export ANSIBLE_VAULT_PASSWORD_FILE=~/bin/ansible-vault-pass` then it will
# be used by default without specifying it.
if [ -e .pass_path ] ; then
p=$(cat .pass_path)
elif [ -e ansible.cfg ] ; then
p=$(git config -f ansible.cfg --get pass.vault)
else
exit 1
fi
if [ ! -z "$p" ] ; then
exec pass "$p"
else
exit 1
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment