Skip to main content

Use Bitwarden to unlock Ansible vaults

Project description

Ansible Vault Bitwarden Client

Use Bitwarden to unlock Ansible vaults.

Description

As described in Storing and accessing vault passwords, Ansible has the ability to retrieve vault passwords from third-party tools using a client script. This script implements the client interface for retrieving passwords from Bitwarden.

Requirements

Installation

pip install --user vault-bitwarden-client

From source:

pip install --user /path/to/repos/vault-bitwarden-client

You can also run the script directly, without installing it:

python3 /path/to/repos/vault-vitwarden-client/vault_bitwarden_client.py --help

Setup

Bitwarden entries for your vaults must have names containing "Ansible Vault: $vault_id" and the vault-id should be saved as the username. Use default as the username when no vault-id is being used. For example:

  • Name: Ansible Vault: dev
  • Username: dev
  • Password: S3kr1t

Entries should have unique names; as only the first matching entry will be used. The value for the default vault-id and the Bitwarden search string are both configurable in your ansible.cfg file, as documented below.

In order to not be prompted for your Bitwarden password every time, you can update your environment with your session key. For example:

Bash

export BW_SESSION=$(bw unlock --raw)

Fish

set -Ux BW_SESSION (bw unlock --raw)

Otherwise, you will be prompted for your password the same as if you were executing bw on the command line.

Usage

You can call the script directly:

ansible-vault --vault-id dev@$(command -v vault-bitwarden-client) view some_encrypted_file

ansible-playbook --vault-password-file $(command -v vault-bitwarden-client) playbook.yml

Set it in your environment:

export ANSIBLE_VAULT_PASSWORD_FILE=$(command -v vault-bitwarden-client)

ansible-vault --vault-id dev view some_encrypted_file

ansible-playbook playbook.yml

Or configure it in your ansible.cfg file:

[defaults]
vault_password_file = ~/.local/bin/vault-bitwarden-client

# Optional:
[vault]
bitwarden_search = Ansible Vault: %(vault_id)s
bitwarden_default_id = default

In addition to creating Bitwarden entries manually, you can set passwords using this script:

vault-bitwarden-client --set                 # Sets 'default' password
vault-bitwarden-client --vault-id dev --set  # Sets 'dev password

You can set the bitwarden_password_options in your ansible.cfg file to override the default password generator options, which are -ulns --length 20.

Changing an existing entriy's password will output the old password and the new password to facilitate rekeying existing vault files.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vault-bitwarden-client-1.0.0.tar.gz (4.3 kB view hashes)

Uploaded Source

Built Distribution

vault_bitwarden_client-1.0.0-py3-none-any.whl (4.5 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page