Ansible vault script to retrieve vault-id from the environment variables | Ansible vault env vars password provider

ansible-vault-env-client.py

#!/usr/bin/env python
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
#
# =============================================================================
#
# This script is to be used with ansible-vault's --vault-id arg
# to retrieve the vault password via your OS's environment variable.
#
# This file *MUST* be saved with executable permissions. Otherwise, Ansible
# will try to parse as a password file and display: "ERROR! Decryption failed"
#

import argparse
import sys
import os

KEYNAME_UNKNOWN_RC = 2


def build_arg_parser():
    parser = argparse.ArgumentParser(description='Get a vault password from env var')

    parser.add_argument('--vault-id', action='store', default=None,
                        dest='vault_id', type=str,
                        help='name of the vault secret to get from env var')

    return parser


def main():
    parser = build_arg_parser()
    args = parser.parse_args()
    secret = os.environ['%s_VAULT_ID' % str.upper(args.vault_id)]
    if secret is None:
        sys.stderr.write('vault-env-client could not find key="%s""\n' % args.vault_id)
        sys.exit(KEYNAME_UNKNOWN_RC)
    sys.stdout.write('%s\n' % secret)
    sys.exit(0)


if __name__ == '__main__':
    main()

Inspired by https://github.com/ansible-community/contrib-scripts/blob/main/vault/vault-keyring-client.py