DEV Community

Marvin Rabe
Marvin Rabe

Posted on

Storing Ansible Vault Password in macOS Keychain

Ansible is a powerful automation tool that allows you to manage your infrastructure as code. One of its features is Ansible Vault, a utility that lets you keep sensitive data, such as passwords or keys, encrypted. To decrypt this data, you need a password, which you typically have to enter manually every time you run an Ansible command that uses encrypted data. This blog post will guide you through the process of storing your Ansible Vault password in the macOS Keychain, so you don't have to enter it manually every time.

Step 1: Create a Password File

First, we need to create a file that will contain a script to fetch the Ansible Vault password from the macOS Keychain. Let’s create a file named ~/.ansible-vault-password with the following content:

#!/bin/sh
NAME="default"
/usr/bin/security find-generic-password -w -l ansible-vault-password -a $NAME 
Enter fullscreen mode Exit fullscreen mode

This script uses the security command to fetch a password from the macOS Keychain. The -w option tells the command to write the password to the standard output. The -l option specifies the label of the keychain item, and the -a option specifies the account name for this item.

Step 2: Make the Password File Executable

To make the script we created in Step 1 executable, run the following command:

chmod +x ~/.ansible-vault-password
Enter fullscreen mode Exit fullscreen mode

This command changes the permissions of the file to make it executable.

Step 3: Add the Password to the macOS Keychain

Now, we need to add the Ansible Vault password to the macOS Keychain. Run the following command, replacing secret with your actual Ansible Vault password:

security add-generic-password \
 -s ansible-vault-password \
 -a default \
 -w secret
Enter fullscreen mode Exit fullscreen mode

This command uses the security command to add a generic password (i.e., our Ansible Vault password) to the macOS Keychain.

Step 4: Update the Ansible Configuration File

Finally, we need to tell Ansible to use our script to fetch the Vault password. To do this, add the following lines to your Ansible configuration file (e.g., ~/.ansible.cfg):

[defaults]
vault_password_file = ~/.ansible-vault-password
Enter fullscreen mode Exit fullscreen mode

This configuration tells Ansible to use the script we created as the source for the Vault password.

Conclusion

With these steps, you have now automated the process of entering the Ansible Vault password. Instead of typing the password every time you run an Ansible command that uses encrypted data, the system will fetch the password from the macOS Keychain automatically.

This not only saves time but also increases security as you don't need to store your sensitive passwords in plain text files. Plus, macOS Keychain is a secure and convenient place to store passwords, as it is encrypted and can be unlocked with your macOS user password.

Please note that this method is specific to macOS, as it uses the macOS Keychain utility. For Linux or other operating systems, you would need to use a different method to securely store and retrieve your Ansible Vault password.

Top comments (0)