slacksec · April 3, 2018 05:23
diff --git a/ansible-vault-pass.bash b/ansible-vault-pass.bash
 #!/usr/bin/env bash
 set -e

 #
 # Written by Thomas Kerpe <[email protected]> - Public Domain
 #
 # Small helper script for usage with ansible-vault and ansible-playbook
 # together with [pass](https://www.passwordstore.org/)
 #
 # Say you have stored the vault-password for the current ansible playbook in pass
 # under the name `ansible/demo/vault` then either add a .pass_path file with the content
 # `ansible/demo/vault` or add a entry in the ansible.cfg:
 # ```
 # [pass]
 # vault=ansible/demo/vault
 # ```
 # Now you can call ansible-vault-pass to get the password for the vault. It is especially useful
 # like this:
 # `ansible-playbook site.yml --vault-password-file ~/bin/ansible-vault-pass`
 # or `ansible-vault edit --vault-password-file ~/bin/ansible-vault-pass example.yml`
 # Even more practical: `export ANSIBLE_VAULT_PASSWORD_FILE=~/bin/ansible-vault-pass` then it will
 # be used by default without specifying it.


 if [ -e .pass_path ] ; then
    p=$(cat .pass_path)
 elif [ -e ansible.cfg ] ; then
    p=$(git config -f ansible.cfg --get pass.vault)
 else
    exit 0
 fi

 if [ ! -z "$p" ] ; then
    exec pass "$p"
 else
    exit 1
 fi
diff --git a/ansible-vault-pass.py b/ansible-vault-pass.py
 #!/usr/bin/env python2
 """
 ansible_vault_pass

 A small helper script for usage with ansible-vault and ansible-playbook
 together with pass.

 Written by Thomas Kerpe <[email protected]> - Public Domain

 Say you have stored the vault-password for the current ansible playbook in pass
 under the name ansible/demo/vault then either add a .pass_path file with the content
 ansible/demo/vault or add a entry in the ansible.cfg:

    [pass]
    vault=ansible/demo/vault

 Now you can call ansible-vault-pass to get the password for the vault.
 It is especially useful like this:

    ansible-playbook site.yml --vault-password-file ~/bin/ansible-vault-pass

 or

    ansible-vault edit --vault-password-file ~/bin/ansible-vault-pass example.yml

 Even more practical: 

    export ANSIBLE_VAULT_PASSWORD_FILE=~/bin/ansible-vault-pass

 then it will be used by default without specifying it. It is also useful in CI environments.

 Source: https://gist.github.com/toke/ebc49b7dd08d7b87e23921029176d3f5
 """

 import os.path
 import subprocess
 import ansible.constants
 from ConfigParser import NoOptionError, NoSectionError


 def get_vault_password():
    """
    The magic happenz
    """

    pass_name = ""

    if os.path.isfile(".pass_path"):
        with open(".pass_path") as f:
            pass_name = f.read()
    elif ansible.constants.CONFIG_FILE:
        try:
            pass_name = ansible.constants.p.get("pass", "vault")
        except NoOptionError:
            pass
        except NoSectionError:
            pass
    else:
        pass

    if pass_name:
        c = subprocess.call(["pass", pass_name])
        exit(c)

 if __name__ == '__main__':
    get_vault_password()
	#!/usr/bin/env bash
	set -e

	#
	# Written by Thomas Kerpe <[email protected]> - Public Domain
	#
	# Small helper script for usage with ansible-vault and ansible-playbook
	# together with [pass](https://www.passwordstore.org/)
	#
	# Say you have stored the vault-password for the current ansible playbook in pass
	# under the name `ansible/demo/vault` then either add a .pass_path file with the content
	# `ansible/demo/vault` or add a entry in the ansible.cfg:
	# ```
	# [pass]
	# vault=ansible/demo/vault
	# ```
	# Now you can call ansible-vault-pass to get the password for the vault. It is especially useful
	# like this:
	# `ansible-playbook site.yml --vault-password-file ~/bin/ansible-vault-pass`
	# or `ansible-vault edit --vault-password-file ~/bin/ansible-vault-pass example.yml`
	# Even more practical: `export ANSIBLE_VAULT_PASSWORD_FILE=~/bin/ansible-vault-pass` then it will
	# be used by default without specifying it.


	if [ -e .pass_path ] ; then
	p=$(cat .pass_path)
	elif [ -e ansible.cfg ] ; then
	p=$(git config -f ansible.cfg --get pass.vault)
	else
	exit 0
	fi

	if [ ! -z "$p" ] ; then
	exec pass "$p"
	else
	exit 1
	fi
	#!/usr/bin/env python2
	"""
	ansible_vault_pass

	A small helper script for usage with ansible-vault and ansible-playbook
	together with pass.

	Written by Thomas Kerpe <[email protected]> - Public Domain

	Say you have stored the vault-password for the current ansible playbook in pass
	under the name ansible/demo/vault then either add a .pass_path file with the content
	ansible/demo/vault or add a entry in the ansible.cfg:

	[pass]
	vault=ansible/demo/vault

	Now you can call ansible-vault-pass to get the password for the vault.
	It is especially useful like this:

	ansible-playbook site.yml --vault-password-file ~/bin/ansible-vault-pass

	or

	ansible-vault edit --vault-password-file ~/bin/ansible-vault-pass example.yml

	Even more practical:

	export ANSIBLE_VAULT_PASSWORD_FILE=~/bin/ansible-vault-pass

	then it will be used by default without specifying it. It is also useful in CI environments.

	Source: https://gist.github.com/toke/ebc49b7dd08d7b87e23921029176d3f5
	"""

	import os.path
	import subprocess
	import ansible.constants
	from ConfigParser import NoOptionError, NoSectionError


	def get_vault_password():
	"""
	The magic happenz
	"""

	pass_name = ""

	if os.path.isfile(".pass_path"):
	with open(".pass_path") as f:
	pass_name = f.read()
	elif ansible.constants.CONFIG_FILE:
	try:
	pass_name = ansible.constants.p.get("pass", "vault")
	except NoOptionError:
	pass
	except NoSectionError:
	pass
	else:
	pass

	if pass_name:
	c = subprocess.call(["pass", pass_name])
	exit(c)

	if __name__ == '__main__':
	get_vault_password()