Ansible Vault encrypts Ansible data files mostly variables, so you could protect things such as passwords and keys. It uses a single password for encryption and decryption which initially could be stored in a file if you don’t want to be prompted every time a playbook runs, but this is such a bad approach. A better approach would be using a third-party password manager tool and bash scripts.
Today’s topic going to be about securing ansible-vault password in Bitwarden, a FOSS password manager tool.
Prerequisites
- Ansible
- Bitwarden account
- Bitwarden CLI
Solution
Step 1. First, login to Bitwarden from the CLI, by using email and password, or even better, an API Key environment variables. Official Log In CLI docs.
Step 2. Take a look at the bash script below which will return the ansible-vault password stored as Bitwarden item under the name ansible-vault.
#!/bin/bash
set -e
BW_VAULT_NAME_ID="ansible-vault"
BW_SESSION="$(bw unlock --raw)"
echo "$(bw get password ${BW_VAULT_NAME_ID} --session ${BW_SESSION} --raw)"
Step 3. Save the script as ansible-vault-pass-bw.sh for instance and make it executable.
chmod +x ansible-vault-pass-bw.sh
Step 4. Add the bash script filepath to the Ansible config file, either in ~/.ansible.cfg or the main one /etc/ansible/ansible.cfg.
vault_password_file=some_dir/ansible-vault-pass-bw.sh
Now, you won’t need to pass --vault-password-file anymore.
Conclusion
Make sure to use the Bitwarden’s API Key env variables when possible since it’s strongly recommended for automation workflows. On a side note, follow our official channel on Telegram.
