Allows ansible-vault to use the system keyring for storing vault passwords
Project description
ansible-vault-keyring
A simple tool to get and set passwords for ansible vaults using the system keyring.
Installation
Install ansible-vault-keyring using your favorite package manager / method.
For me, using uv I use.
uv tool install ansible-vault-keyring
Usage
Setting a password.
$ ansible-vault-keyring --vault-id my_vault_id --set
Enter password : foo
Confirm password : foo
Getting a password.
$ ansible-vault-keyring --vault-id my_vault_id
foo
Recommend usage.
If for example, you want to use the ansible-vault-keyring tool to get two passwords from your keyring,
one for a global vault-id, and one for a personal vault-id, you can add this to your ansible.cfg file.
[defaults]
vault_identity_list = global@/path/to/ansible_vault_keyring, personal@/path/to/ansible_vault_keyring
If like me you install with uv, you will find the binary in whatever bin directory it uses, and you should refer to that uv documentation to find the path to the standalone executable. For me this is ~/.local/bin/ansible-vault-keyring, and I have ~/.local/bin in my PATH environment variable.
Now when a password is needed by ansible, it will invoke the ansible-vault-keyring tool to get the password from the keyring.
How Ansible finds config files
Ansible will load settings from the first ansible.cfg file it finds from :-
- The file in the
ANSIBLE_CONFIGenvironment variable. - The file
ansible.cfgfile in the current working directory. - The file
~/.ansible.cfgfile (in the user's home directory). - The file
/etc/ansible/ansible.cfgfile (in the system ansible config directory).
Security Considerations.
The file is stored in the system keyring, for example gnome-keyring or OSX-Keychain. It does this using the keyring python package.
This means that the password is stored in plain text in the system keyring, and can be read by anyone with access to the system keyring, but this is true for all passwords stored in a system keyring.
Additionally, the password is passed through the python process running the ansible-vault-keyring tool.
However in reality this is likely to be at least as secure as copying+pasting the passwords from a password manager, and will certainly be better than reusing a password, or writing it on a post it note stuck to your monitor.
Credits
This tool was heavily inspired by vault-keyring-client.py from ansible-community's contrib scripts.
It is either a rewrite or a fork depending on your take, and thus I consider it a derivative work. See the LICENSE file for details of the original authors of vault-keyring-client.py.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file ansible_vault_keyring-0.2.0.tar.gz.
File metadata
- Download URL: ansible_vault_keyring-0.2.0.tar.gz
- Upload date:
- Size: 34.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.5.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 4f97bbd2e06bb331d8f12ef665040a7db102fd153cf13c0b94c67e8d3d411fc2 |
|
| MD5 | be612f08faa6d67094c5d1528c901d75 |
|
| BLAKE2b-256 | 8e0d61e4cf4bbd4641029946212f3676135feb05c3162e62b1656814a3b1e83f |
File details
Details for the file ansible_vault_keyring-0.2.0-py3-none-any.whl.
File metadata
- Download URL: ansible_vault_keyring-0.2.0-py3-none-any.whl
- Upload date:
- Size: 17.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.5.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 51d4c0c6be761924d68c8dfb316af48896641d4ebfbe6e543b65335a1739914a |
|
| MD5 | a700a67ceee4c8e4955a0be01d447382 |
|
| BLAKE2b-256 | 3680224379fd7de7ac259eadf93edede2c4b1456d81cf7843b96e06d0199deec |
