Ansible Vault passwords and ansible_become_pass variable stored in pass https://www.passwordstore.org or gopass https://www.gopass.pw
Create encrypted password file with pass or gopass
pass insert ansible/test or gopass insert ansible/test
Now you can access become password stored in ansible/test using lookup plugin passwordstore
Set ansible_become_pass variable in playbook:
- name: TEST PLAYBOOK
hosts: prod
become: yes
vars:
ansible_become_pass: "{{ lookup('passwordstore', 'ansible/test', errors='strict') | default(omit) }}" Also you can create a file with ansible_become_pass variable, defined with same lookup plugin as in sample above, and add this extra variable to a ansible-playbook command by appending option -e or --extra-vars
ansible-playbook -b -e @become.yml site.yml
If you need to store few passwords in the same pass file - use subkey parameter for passwordstore plugin:
ansible_become_pass: "{{ lookup('passwordstore', 'ansible/test subkey=dev_become_pass returnall=no', errors='strict') | default(omit) }}" Additional subkey in pass file looks like
dev_become_pass: _SO_SECRET_PASSWORD_
You can put Vault password in the pass or gopass and use it to decrypt sensitive files or variables stored in vault.
Sctipt can be used as vault_password_file to provide vault password, stored in pass or gopass, welcome to ansible-vault-pass-client GitHub Repo
Ansible Vault
Encrypting content with Ansible Vault
Configuring defaults for using encrypted content
Storing passwords in third-party tools with vault password client scripts
pass manual
gopass docs