Ansible is a framework that helps with automating deployments, among other things. It has a feature called Ansible Vault that enables you to encrypt secrets in your ansible files. These vault encrypted secrets can only be decrypted if you provide the correct password. This means you can store things like database passwords and other sensitive settings in your repository, in a secure manner. For password access to your secrets, you are given 3 options:
- Ansible asks you to enter a password every time the secrets are needed
- You provide a file that has the password in it
- You leave everything decrypted until you’re ready to commit your changes, then you encrypt them using option 1 or 2 (and later decrypt when you want to make changes).
Entering a password all the time gets annoying real quick, but having a password file laying around does not seem all that secure. Plus it’s hard to share securely if you’re collaborating with others. Option 3 requires you to not make a mistake and accidentally commit decrypted secrets. What if there was a better way?
Lastpass is a great place to store your passwords, and generate secure ones, but it is annoying to lookup, copy, then paste the password back in ansible, and you need to add —ask-vault-pass
to every ansible command. However, Lastpass has a neat command line utility that you can use to get a password saved in Lastpass. With some minor scripting, you can integrate this with the ansible password file, so that you don’t have a plaintext password file laying around. I learned a lot about how to do this from How to use Ansible Vault with LastPass but decided that simple scripting worked better for me than install a ruby gem.
- Install lastpass-cli
- Create a bash script we’ll call
lpass_vault.sh
. This must be located wherever you runansible
from, and be executable - Create an entry in your Lastpass account with the Name
"ansible vault"
. This is what is referenced in the script above. - Add the following to environment. You could add it to the bottom of
bin/activate
if you’re using python virtualenv: - Then run
lpass login
to ensure lastpass is setup - Now you can run
ansible
with vault encrypted secrets, and at worst you’ll be prompted for your lastpass master password.
#!/bin/bash
PASSWORD=`lpass show --password "ansible vault"`
echo $PASSWORD
export ANSIBLE_VAULT_PASSWORD_FILE=`command -v ./lpass_vault.sh`
This isn’t only more convenient for an individual, it can also be great for teams: you can check vault encrypted secrets into a shared repository, then share the password in Lastpass. Now nothing is exposed in the repository, and the only people that can access the secrets are those with the Lasspass password.