I have successfully set up a vault_password_file that contains a script to read the password from Bitwarden.
I want to do the same for the "become password" but don't see where and how that would be possible.
The ansible.cfg is:
[defaults]
inventory=./inventory.yml
vault_password_file=./ansible-vault-pass.sh
[privilege_escalation]
become=True
Ansible-vault-pass is the following, though the details don't matter, this works:
#!/bin/bash
_BW_ENTRY_ID="my-ansible-vault-pass"
_bw_session="$(bw unlock --raw)"
echo "$(bw get password ${_BW_ENTRY_ID} --session ${_bw_session} --raw)"
I have a similar script to look up and return the become password, but cannot find how to hook that into the config to be used instead of prompting the user.
I am aware of setting this in group_vars/all/clear.yml, e.g. as follows:
ansible_become_password: "{{ vault_enabled_ansible_become_password }}"
And then storing the password in the vault. Problem with that approach is that the vault is shared amongst sysadmins that can run ansible on the server fleet. But I don't want any such syadmin to be able to read the sudo password of their colleagues. Hence the approach with Bitwarden/script.
The problem with these kinds of questions is that there are several answers, and the "right" one depends on your workflow and tolerance for customization. That said, here are a few I know of:
ansible_become_pass var based on whatever logic you wishlookup_plugins and then set ansible_become_pass: '{{ lookup("bitwarden", "whatever", field="password") }}'become_plugins and modify it to return the pass from get_option("become_pass") using a mechanism of your choiceansible-playbook-with-bitwarden shell script that will populate $ANSIBLE_BECOME_PASS before launching ansible-playbook