I’ve been messing around with macOS keychains part of the morning, and it occurred to me that I hadn’t jotted down how to use Ansible vault with generic passwords in a macOS keychain, so here goes.

I create a generic password from the CLI or via the GUI

$ security add-generic-password -a jpmens -j "vault pw for example.com" -s vpw-example-com -w
password data for new item:
retype password for new item:
$

A one-line shell script I place in ~/bin/vaultpw.sh obtains that generic password

#!/bin/sh

/usr/bin/security find-generic-password -a jpmens -s vpw-example-com  -w

and I configure ansible.cfg to use that executable script from which to obtain the vault password on stdout (or I specify it at runtime as argument to --vault-password-file)

[defaults]
nocows = 1
vault_password_file = ~/bin/vaultpw.sh

Whenever I use Ansible vault, its password is obtained automatically.

$ EDITOR=ed ansible-vault create secrets.yml
0
a
---
dbpass: superverysecret
.
w
28
q

$ head -2 secrets.yml
$ANSIBLE_VAULT;1.1;AES256
33653339353466353561386535326537636435643338623134633036306533636338643661343866

$ ansible-vault view secrets.yml
---
dbpass: superverysecret

Note that it’s not possible to keep the vault password secret from anyone who must be able to launch playbooks which use vaulted files from the CLI.