Skip to content

Ansible Vault Encryption Password from Environment Variable#

Problem#

How to use an Environment Variable (EnvVar) e.g. ANSIBLE_VAULT_PASSWORD to provide the encryption password for Ansible Vault?

Solution#

Create a file as a Shell script, e.g. vault.sh:

vault.sh
#!/bin/sh
echo $ANSIBLE_VAULT_PASSWORD

and make it executable

chmod +x vault.sh

then configure Ansible to look for the encryption password in this file, either again by an EnvVar:

export ANSIBLE_VAULT_PASSWORD_FILE=vault.sh

or in ansible.cfg

ansible.cfg
[defaults]
vault_password_file=vault.sh

Next, set the encryption password with the EnvVar $ANSIBLE_VAULT_PASSWORD:

export ANSIBLE_VAULT_PASSWORD=Just_An_Example!

Explanation#

Ansible does exeucte the $ANSIBLE_VAULT_PASSWORD_FILE file if it is executable. This allows to be creative with all kind of intersting possibilites getting the encryption password for Ansible Vault.