Use Bitwarden to unlock Ansible vaults
Project description
Ansible Vault Bitwarden Client
Use Bitwarden to unlock Ansible vaults.
Description
As described in Storing and accessing vault passwords, Ansible has the ability to retrieve vault passwords from third-party tools using a client script. This script implements the client interface for retrieving passwords from Bitwarden.
Requirements
- Ansible
bw
Bitwarden CLI tool
Installation
pip install --user vault-bitwarden-client
From source:
pip install --user /path/to/repos/vault-bitwarden-client
You can also run the script directly, without installing it:
python3 /path/to/repos/vault-vitwarden-client/vault_bitwarden_client.py --help
Setup
Bitwarden entries for your vaults must have names containing "Ansible Vault: $vault_id"
and the vault-id should be saved as the username. Use default
as the username when no
vault-id is being used. For example:
- Name: Ansible Vault: dev
- Username: dev
- Password: S3kr1t
Entries should have unique names; as only the first matching entry will be used. The
value for the default vault-id and the Bitwarden search string are both configurable in
your ansible.cfg
file, as documented below.
In order to not be prompted for your Bitwarden password every time, you can update your environment with your session key. For example:
Bash
export BW_SESSION=$(bw unlock --raw)
Fish
set -Ux BW_SESSION (bw unlock --raw)
Otherwise, you will be prompted for your password the same as if you were executing bw
on the command line.
Usage
You can call the script directly:
ansible-vault --vault-id dev@$(command -v vault-bitwarden-client) view some_encrypted_file
ansible-playbook --vault-password-file $(command -v vault-bitwarden-client) playbook.yml
Set it in your environment:
export ANSIBLE_VAULT_PASSWORD_FILE=$(command -v vault-bitwarden-client)
ansible-vault --vault-id dev view some_encrypted_file
ansible-playbook playbook.yml
Or configure it in your ansible.cfg
file:
[defaults]
vault_password_file = ~/.local/bin/vault-bitwarden-client
# Optional:
[vault]
bitwarden_search = Ansible Vault: %(vault_id)s
bitwarden_default_id = default
In addition to creating Bitwarden entries manually, you can set passwords using this script:
vault-bitwarden-client --set # Sets 'default' password
vault-bitwarden-client --vault-id dev --set # Sets 'dev password
You can set the bitwarden_password_options
in your ansible.cfg
file to override the
default password generator options, which are -ulns --length 20
.
Changing an existing entriy's password will output the old password and the new password to facilitate rekeying existing vault files.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for vault-bitwarden-client-1.0.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 584ee9259421e09f3b977a213e9ff04fbb31f4b2ca8790e7341869c1c4bae574 |
|
MD5 | 94b1350160cb5cb392ded957e671b665 |
|
BLAKE2b-256 | 9def5d920d2da80b982e78c9a6ffc931078290f4dee19a897028d099ee1fea4d |
Hashes for vault_bitwarden_client-1.0.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | e10267d6289b739b9ab22975216c28ff1884f11ea522e558a2c61dc29aa5340d |
|
MD5 | f92c98e7e762620688bf743fa82a2dd4 |
|
BLAKE2b-256 | 5d72d52b70333428e9d95a9715d160fa56e56fbf92d1bde172f671b6a68ec3e6 |