I use Bitwarden as my password manager, and I highly recommend it. I also use Ansible a whole lot, and make heavy use of Ansible Vault.

I’ve recently started using Invoke as my orchestrator after crgm suggested it, which has got me thinking more about streamlining my processes. Today I hooked bitwarden into the mix. This is a first pass, but I’m happy with it.

First up, I installed the bitwarden cli. See their docs for install and login steps.

Once that is working and I found that I could retrieve a password, I configured my orchestration.

You can’t just print the key in the command arguments to ansible-playbook. The available options are to provide a password file (--vault-password-file), or to have ansible ask for the key to be typed (--ask-vault-pass). One could probably pipe the key in, but that feels pretty yucky to me, but not as yuck as writing cleartext creds to a file on disk. Fortunately --vault-password-file will also accept an executable that prints the key to stdout.

Steps

vault-pass.py:

#!/usr/bin/env python3

import subprocess

def get_vault_key(search='ansible vault key'):
    command = 'bw get password %s' % search
    key = subprocess.run(command.split(), check=True, stdout=subprocess.PIPE)
    return key.stdout.decode('utf-8')

print(get_vault_key())

It needs to be executable, so chmod u+x vault-pass.py

Deployment step in invokes tasks.py:

from invoke import task

@task
def deploy(c, verbose=False):
    options = ''
    if verbose:
        options += ' -vvv'
    c.run('ansible-playbook play.yml -i inventory --ask-become-pass --vault-password-file vault-pass.py' + options)

Now I can run invoke deploy and not have to type the vault key. I want to get rid of the become password next, but will be focusing on moving this approach toward a python module and ansible-runner before then.