I’ve recently started using Invoke as my orchestrator after crgm suggested it, which has got me thinking more about streamlining my processes. Today I hooked bitwarden into the mix. This is a first pass, but I’m happy with it.
First up, I installed the bitwarden cli. See their docs for install and login steps.
Once that is working and I found that I could retrieve a password, I configured my orchestration.
You can’t just print the key in the command arguments to ansible-playbook. The available options are to provide a password file (
--vault-password-file), or to have ansible ask for the key to be typed (
One could probably pipe the key in, but that feels pretty yucky to me, but not as yuck as writing cleartext creds to a file on disk. Fortunately
--vault-password-file will also accept an executable that prints the key to stdout.
#!/usr/bin/env python3 import subprocess def get_vault_key(search='ansible vault key'): command = 'bw get password %s' % search key = subprocess.run(command.split(), check=True, stdout=subprocess.PIPE) return key.stdout.decode('utf-8') print(get_vault_key())
It needs to be executable, so
chmod u+x vault-pass.py
Deployment step in invokes
from invoke import task @task def deploy(c, verbose=False): options = '' if verbose: options += ' -vvv' c.run('ansible-playbook play.yml -i inventory --ask-become-pass --vault-password-file vault-pass.py' + options)
Now I can run
invoke deploy and not have to type the vault key. I want to get rid of the become password next, but will be focusing on moving this approach toward a python module and ansible-runner before then.