Search code examples
ansibleansible-vault

How to pass a password to the vault-id in a bash script?


I have a bash script that runs multiple ansible-playbooks.

eg.before encryption

ansible-playbook check_patch_applied.yml --extra-vars="target=123 patch_number=232323" -v t
ansible-playbook apply_patch.yml --extra-vars="target=np026 patch_number=232323" -v 

I have recently encrypted the vault. Instead of keeping the vault password on a file on the server (which I think is insecure), I would prefer to type it in and then use that throughout the bash script to run the playbooks.

I don't want to have to type in the password for each playbook. I just want to type it in once at the beginning of the script and then pass it to the ansible-playbook lines

I tried this

read -p "Please enter the Ansible Vault password ? : " vault_password
vault_password=${vault_password,,}

ansible-playbook check_patch_applied.yml --extra-vars="target=123 patch_number=232323" --vault-id < (echo ${vault_password})' but I get syntax errors. Any ideas please ? Thanks in advance

I also tried this:
ansible-playbook check_patch_applied.yml --extra-vars="target=$target patch_number=$i" --vault-id @prompt < (echo "${vault_password}")

./patch.sh: line 117: syntax error near unexpected token `('
./patch.sh: line 117: `    ansible-playbook check_patch_applied.yml --extra-vars="target=$target patch_number=$i" -v --vault-id @prompt < (echo "${vault_password}")'

I don't want to use --vault-password-file and I do not want to keep the vault password on the server.


Solution

  • Here is a possible solution adapted from an other answer. The trick is to use /bin/cat as the vault password file while providing the password from stdin:

    read -p "Please enter the Ansible Vault password ? : " vault_password
    
    echo ${vault_password} | ansible-playbook check_patch_applied.yml --extra-vars="target=123 patch_number=232323" --vault-password-file=/bin/cat
    

    This will ask your password interactively while being able to reuse it in different ansible commands in the same script without storing it on disk.