I used to manage my Ansible vault passphrase like a plain textfile – like a caveman! In this post I will give some alternatives that are less terrible than my starting point.
Table of Contents
Basic setup
I keep a file called ansible.cfg.default in my git repository, in
which I track my default Ansible configuration. I’ve also added
ansible.cfg to my .gitignore to be able to have slightly
different configuration files on different systems, like when using
different secret storage backends on different OS.
The file looks something like this:
[defaults]
ansible_user = root
log_path = ansible.log
roles_path = ~/.ansible/roles:roles
vault_password_file = ./.vault_pass
That last line, vault_password_file is how I’ve chosen to implement
support for using different backends. I’m tracking all files below in
my homelab git repository.
kwallet
As I’m experimenting with Asahi Fedora Remix on my Macbook Air, I’m using Plasma again so using kwallet is my first example.
Using kwalletmanager5 I created a new folder called ansible in my
default wallet (default name is kdewallet). Inside that folder I
created a password entry called vault which just contained my vault
password.
Then I created vault-kwallet.sh and made it executable.
#!/bin/bash
kwallet-query -r vault kdewallet -f ansible
Finally, change ansible.cfg to use this:
[default]
# ...
vault_password_file = ./vault-kwallet.sh
macOS wallet
Same principle here, create a password in the macOS Keychain.app:
$ security add-generic-password -a oscar -s ansible-vault-lab -w
password data for new item:
retype password for new item:
Save below as vault-macos.sh:
#!/bin/sh
/usr/bin/security find-generic-password -a oscar -s ansible-vault-homelab -w
Change ansible.cfg to something like this:
[default]
# ...
vault_password_file = ./vault-macos.sh
GNOME keyring
To store your secret in the gnome keyring/secret-tool, and yes setting a label is required!
$ secret-tool store --label=ansible ansible vault
Password:
Save below as vault-secret-tool.sh:
#!/bin/sh
secret-tool lookup ansible vault
And finally, make Ansible use it:
[default]
# ...
vault_password_file = ./vault-secret-tool.sh
Windows
Update 2026: I eventually needed this, and it wasn’t hard. I am assuming that you are using WSL in the example below but the same principal can be used with Powershell as well.
First, define a generic credential storing your vault password
(like in this article), call it foobar and write
anything for the user name.
Then, save below as vault-windows.sh, change foobar to whatever you called
your credential:
#!/bin/sh
powershell.exe -NoProfile -Command '
$ss=(Get-StoredCredential -Target "foobar").Password
$ptr=[Runtime.InteropServices.Marshal]::SecureStringToBSTR($ss)
try{
[Runtime.InteropServices.Marshal]::PtrToStringBSTR($ptr)
}
finally{
[Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ptr)
}' | tr -d '\r'
If you are using powershell in windows, just use the inlined powershell script instead.