Skip to content

Instantly share code, notes, and snippets.

@me-vlad
Last active July 28, 2021 19:01
Show Gist options
  • Save me-vlad/aa7ba182d2596b7c0aafbd40bf2f3de8 to your computer and use it in GitHub Desktop.
Save me-vlad/aa7ba182d2596b7c0aafbd40bf2f3de8 to your computer and use it in GitHub Desktop.
Ansible Vault passwords and ansible_become_pass variable stored in pass (https://www.passwordstore.org) or gopass

Ansible Vault passwords and ansible_become_pass variable stored in pass https://www.passwordstore.org or gopass https://www.gopass.pw

ansible_become_pass variable in pass/gopass

Create encrypted password file with pass or gopass

pass insert ansible/test or gopass insert ansible/test

Now you can access become password stored in ansible/test using lookup plugin passwordstore

Set ansible_become_pass variable in playbook:

- name: TEST PLAYBOOK
  hosts: prod
  become: yes 
  vars:
    ansible_become_pass: "{{ lookup('passwordstore', 'ansible/test', errors='strict') | default(omit) }}" 

Also you can create a file with ansible_become_pass variable, defined with same lookup plugin as in sample above, and add this extra variable to a ansible-playbook command by appending option -e or --extra-vars

ansible-playbook -b -e @become.yml site.yml

If you need to store few passwords in the same pass file - use subkey parameter for passwordstore plugin:

ansible_become_pass: "{{ lookup('passwordstore', 'ansible/test subkey=dev_become_pass returnall=no', errors='strict') | default(omit) }}" 

Additional subkey in pass file looks like

dev_become_pass: _SO_SECRET_PASSWORD_

Ansible Vault passwords in pass/gopass

You can put Vault password in the pass or gopass and use it to decrypt sensitive files or variables stored in vault.

Sctipt can be used as vault_password_file to provide vault password, stored in pass or gopass, welcome to ansible-vault-pass-client GitHub Repo

More info

Ansible Vault
Encrypting content with Ansible Vault
Configuring defaults for using encrypted content
Storing passwords in third-party tools with vault password client scripts
pass manual
gopass docs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment