I’ve been messing around with macOS keychains part of the morning, and it occurred to me that I hadn’t jotted down how to use Ansible vault with generic passwords in a macOS keychain, so here goes.
I create a generic password from the CLI or via the GUI
$ security add-generic-password -a jpmens -j "vault pw for example.com" -s vpw-example-com -w
password data for new item:
retype password for new item:
$
A one-line shell script I place in ~/bin/vaultpw.sh
obtains that generic password
#!/bin/sh
/usr/bin/security find-generic-password -a jpmens -s vpw-example-com -w
and I configure ansible.cfg
to use that executable script from which to obtain the vault password on stdout (or I specify it at runtime as argument to --vault-password-file
)
[defaults]
nocows = 1
vault_password_file = ~/bin/vaultpw.sh
Whenever I use Ansible vault, its password is obtained automatically.
$ EDITOR=ed ansible-vault create secrets.yml
0
a
---
dbpass: superverysecret
.
w
28
q
$ head -2 secrets.yml
$ANSIBLE_VAULT;1.1;AES256
33653339353466353561386535326537636435643338623134633036306533636338643661343866
$ ansible-vault view secrets.yml
---
dbpass: superverysecret
Note that it’s not possible to keep the vault password secret from anyone who must be able to launch playbooks which use vaulted files from the CLI.