Last active
October 24, 2021 21:38
-
-
Save toke/ebc49b7dd08d7b87e23921029176d3f5 to your computer and use it in GitHub Desktop.
Small helper script for usage with ansible-vault and ansible-playbook together with pass https://www.passwordstore.org/ Two implementations: first in bash and anotger one in python, which should be better as the git config hack to get ini files may fail due to incompatibilities in git vs. ansible ini style. The bash version is kept for reference.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -e | |
| # | |
| # Written by Thomas Kerpe <toke@toke.de> - Public Domain | |
| # | |
| # Small helper script for usage with ansible-vault and ansible-playbook | |
| # together with [pass](https://www.passwordstore.org/) | |
| # | |
| # Say you have stored the vault-password for the current ansible playbook in pass | |
| # under the name `ansible/demo/vault` then either add a .pass_path file with the content | |
| # `ansible/demo/vault` or add a entry in the ansible.cfg: | |
| # ``` | |
| # [pass] | |
| # vault=ansible/demo/vault | |
| # ``` | |
| # Now you can call ansible-vault-pass to get the password for the vault. It is especially useful | |
| # like this: | |
| # `ansible-playbook site.yml --vault-password-file ~/bin/ansible-vault-pass` | |
| # or `ansible-vault edit --vault-password-file ~/bin/ansible-vault-pass example.yml` | |
| # Even more practical: `export ANSIBLE_VAULT_PASSWORD_FILE=~/bin/ansible-vault-pass` then it will | |
| # be used by default without specifying it. | |
| if [ -e .pass_path ] ; then | |
| p=$(cat .pass_path) | |
| elif [ -e ansible.cfg ] ; then | |
| p=$(git config -f ansible.cfg --get pass.vault) | |
| else | |
| exit 0 | |
| fi | |
| if [ ! -z "$p" ] ; then | |
| exec pass "$p" | |
| else | |
| exit 1 | |
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| """ | |
| ansible_vault_pass | |
| A small helper script for usage with ansible-vault and ansible-playbook | |
| together with pass. | |
| Written by Thomas Kerpe <toke@toke.de> - Public Domain | |
| Say you have stored the vault-password for the current ansible playbook in pass | |
| under the name ansible/demo/vault then either add a .pass_path file with the content | |
| ansible/demo/vault or add a entry in the ansible.cfg: | |
| [pass] | |
| vault=ansible/demo/vault | |
| Now you can call ansible-vault-pass to get the password for the vault. | |
| It is especially useful like this: | |
| ansible-playbook site.yml --vault-password-file ~/bin/ansible-vault-pass | |
| or | |
| ansible-vault edit --vault-password-file ~/bin/ansible-vault-pass example.yml | |
| Even more practical: | |
| export ANSIBLE_VAULT_PASSWORD_FILE=~/bin/ansible-vault-pass | |
| then it will be used by default without specifying it. It is also useful in CI environments. | |
| Source: https://gist.github.com/toke/ebc49b7dd08d7b87e23921029176d3f5 | |
| """ | |
| import os.path | |
| import subprocess | |
| import ansible.constants | |
| from ConfigParser import NoOptionError, NoSectionError | |
| def get_vault_password(): | |
| """ | |
| The magic happenz | |
| """ | |
| pass_name = "" | |
| if os.path.isfile(".pass_path"): | |
| with open(".pass_path") as f: | |
| pass_name = f.read() | |
| elif ansible.constants.CONFIG_FILE: | |
| try: | |
| pass_name = ansible.constants.p.get("pass", "vault") | |
| except NoOptionError: | |
| pass | |
| except NoSectionError: | |
| pass | |
| else: | |
| pass | |
| if pass_name: | |
| c = subprocess.call(["pass", pass_name]) | |
| exit(c) | |
| if __name__ == '__main__': | |
| get_vault_password() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment