Skip to content

Instantly share code, notes, and snippets.

@toke
Last active October 24, 2021 21:38
Show Gist options
  • Save toke/ebc49b7dd08d7b87e23921029176d3f5 to your computer and use it in GitHub Desktop.
Save toke/ebc49b7dd08d7b87e23921029176d3f5 to your computer and use it in GitHub Desktop.
Small helper script for usage with ansible-vault and ansible-playbook together with pass https://www.passwordstore.org/ Two implementations: first in bash and anotger one in python, which should be better as the git config hack to get ini files may fail due to incompatibilities in git vs. ansible ini style. The bash version is kept for reference.
#!/usr/bin/env bash
set -e
#
# Written by Thomas Kerpe <toke@toke.de> - Public Domain
#
# Small helper script for usage with ansible-vault and ansible-playbook
# together with [pass](https://www.passwordstore.org/)
#
# Say you have stored the vault-password for the current ansible playbook in pass
# under the name `ansible/demo/vault` then either add a .pass_path file with the content
# `ansible/demo/vault` or add a entry in the ansible.cfg:
# ```
# [pass]
# vault=ansible/demo/vault
# ```
# Now you can call ansible-vault-pass to get the password for the vault. It is especially useful
# like this:
# `ansible-playbook site.yml --vault-password-file ~/bin/ansible-vault-pass`
# or `ansible-vault edit --vault-password-file ~/bin/ansible-vault-pass example.yml`
# Even more practical: `export ANSIBLE_VAULT_PASSWORD_FILE=~/bin/ansible-vault-pass` then it will
# be used by default without specifying it.
if [ -e .pass_path ] ; then
p=$(cat .pass_path)
elif [ -e ansible.cfg ] ; then
p=$(git config -f ansible.cfg --get pass.vault)
else
exit 0
fi
if [ ! -z "$p" ] ; then
exec pass "$p"
else
exit 1
fi
#!/usr/bin/env python2
"""
ansible_vault_pass
A small helper script for usage with ansible-vault and ansible-playbook
together with pass.
Written by Thomas Kerpe <toke@toke.de> - Public Domain
Say you have stored the vault-password for the current ansible playbook in pass
under the name ansible/demo/vault then either add a .pass_path file with the content
ansible/demo/vault or add a entry in the ansible.cfg:
[pass]
vault=ansible/demo/vault
Now you can call ansible-vault-pass to get the password for the vault.
It is especially useful like this:
ansible-playbook site.yml --vault-password-file ~/bin/ansible-vault-pass
or
ansible-vault edit --vault-password-file ~/bin/ansible-vault-pass example.yml
Even more practical:
export ANSIBLE_VAULT_PASSWORD_FILE=~/bin/ansible-vault-pass
then it will be used by default without specifying it. It is also useful in CI environments.
Source: https://gist.github.com/toke/ebc49b7dd08d7b87e23921029176d3f5
"""
import os.path
import subprocess
import ansible.constants
from ConfigParser import NoOptionError, NoSectionError
def get_vault_password():
"""
The magic happenz
"""
pass_name = ""
if os.path.isfile(".pass_path"):
with open(".pass_path") as f:
pass_name = f.read()
elif ansible.constants.CONFIG_FILE:
try:
pass_name = ansible.constants.p.get("pass", "vault")
except NoOptionError:
pass
except NoSectionError:
pass
else:
pass
if pass_name:
c = subprocess.call(["pass", pass_name])
exit(c)
if __name__ == '__main__':
get_vault_password()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment