[ansible] vault_password_file = askpass.py

askpass.py

#!/usr/bin/env python
import sys
import getpass
import argparse

try:
    # Suppress PyGI warning (LP: #1510392)
    import gi
    gi.require_version('GnomeKeyring', '1.0')
except (ImportError, ValueError):
    pass

import keyring


# If you use more than one ansible vault password, you'll want to vary either USERNAME or SERVICE_NAME
SERVICE_NAME = 'ansible'
USERNAME = 'vault'


def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('--forget', action='store_true')
    args = parser.parse_args()
    if args.forget:
        keyring.delete_password(SERVICE_NAME, USERNAME)
        print("Removed the password from the keyring")
        sys.exit()
    try:
        if sys.stdout.isatty():
            sys.exit("Refusing to print the password to a terminal.")
        pwd = keyring.get_password(SERVICE_NAME, USERNAME)
        if not pwd:
            pwd = getpass.getpass('Vault password: ')
            keyring.set_password(SERVICE_NAME, USERNAME, pwd)
        print(pwd)
    except KeyboardInterrupt:
        pass

if __name__ == '__main__':
    main()