| Name | ansible-vault-keyring JSON |
| Version |
0.2.0
JSON |
| download |
| home_page | None |
| Summary | Allows ansible-vault to use the system keyring for storing vault passwords |
| upload_time | 2024-11-26 01:53:54 |
| maintainer | None |
| docs_url | None |
| author | Justin Mayer |
| requires_python | >=3.12 |
| license | None |
| keywords |
|
| VCS |
|
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# ansible-vault-keyring
A simple tool to get and set passwords for ansible vaults using the system keyring.
## Installation
Install ansible-vault-keyring using your favorite package manager / method.
For me, using [uv](https://github.com/astral-sh/uv/) I use.
```bash
uv tool install ansible-vault-keyring
```
## Usage
### Setting a password.
```bash
$ ansible-vault-keyring --vault-id my_vault_id --set
Enter password : foo
Confirm password : foo
```
### Getting a password.
```bash
$ ansible-vault-keyring --vault-id my_vault_id
foo
```
## Recommend usage.
If for example, you want to use the `ansible-vault-keyring` tool to get two passwords from your keyring,
one for a `global` vault-id, and one for a `personal` vault-id, you can add this to your `ansible.cfg` file.
```ini
[defaults]
vault_identity_list = global@/path/to/ansible_vault_keyring, personal@/path/to/ansible_vault_keyring
```
If like me you install with [uv](https://github.com/astral-sh/uv/), you will find the binary in whatever [bin directory](https://docs.astral.sh/uv/concepts/tools/#the-bin-directory) it uses, and you should refer to that uv documentation to find the path to the standalone executable. For me this is `~/.local/bin/ansible-vault-keyring`, and I have `~/.local/bin` in my `PATH` environment variable.
Now when a password is needed by ansible, it will invoke the `ansible-vault-keyring` tool to get the password from the keyring.
### How Ansible finds config files
Ansible will load settings from the first [ansible.cfg](https://docs.ansible.com/ansible/latest/reference_appendices/config.html) file it finds from :-
1. The file in the `ANSIBLE_CONFIG` environment variable.
2. The file `ansible.cfg` file in the current working directory.
3. The file `~/.ansible.cfg` file (in the user's home directory).
4. The file `/etc/ansible/ansible.cfg` file (in the system ansible config directory).
## Security Considerations.
The file is stored in the system keyring, for example
[gnome-keyring](https://wiki.gnome.org/Projects/GnomeKeyring) or [OSX-Keychain](https://support.apple.com/en-gb/guide/keychain-access/welcome/mac). It does this using the [keyring](https://pypi.org/project/keyring/) python package.
This means that the password is stored in plain text in the system keyring, and can be read by anyone with access to the system keyring, but this is true for all passwords stored in a system keyring.
Additionally, the password is passed through the python process running the `ansible-vault-keyring` tool.
However in reality this is likely to be at least as secure as copying+pasting the passwords from a password manager,
and will certainly be better than reusing a password, or writing it on a post it note stuck to your monitor.
## Credits
This tool was heavily inspired by [vault-keyring-client.py](https://github.com/ansible-community/contrib-scripts/blob/main/vault/vault-keyring-client.py) from ansible-community's contrib scripts.
It is either a rewrite or a fork depending on your take, and thus I consider it a derivative work. See the [LICENSE](LICENSE) file for details of the original authors of [vault-keyring-client.py](https://github.com/ansible-community/contrib-scripts/blob/main/vault/vault-keyring-client.py).
Raw data
{
"_id": null,
"home_page": null,
"name": "ansible-vault-keyring",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.12",
"maintainer_email": null,
"keywords": null,
"author": "Justin Mayer",
"author_email": "David Groves <git@fibrecat.org>, Matt Martz <matt@sivel.net>",
"download_url": "https://files.pythonhosted.org/packages/8e/0d/61e4cf4bbd4641029946212f3676135feb05c3162e62b1656814a3b1e83f/ansible_vault_keyring-0.2.0.tar.gz",
"platform": null,
"description": "# ansible-vault-keyring\n\nA simple tool to get and set passwords for ansible vaults using the system keyring.\n\n## Installation\n\nInstall ansible-vault-keyring using your favorite package manager / method.\n\nFor me, using [uv](https://github.com/astral-sh/uv/) I use.\n\n```bash\nuv tool install ansible-vault-keyring\n```\n\n## Usage\n\n### Setting a password.\n\n```bash\n$ ansible-vault-keyring --vault-id my_vault_id --set\nEnter password : foo \nConfirm password : foo\n```\n\n### Getting a password.\n\n```bash\n$ ansible-vault-keyring --vault-id my_vault_id\nfoo\n```\n\n## Recommend usage.\n\nIf for example, you want to use the `ansible-vault-keyring` tool to get two passwords from your keyring,\none for a `global` vault-id, and one for a `personal` vault-id, you can add this to your `ansible.cfg` file.\n\n```ini\n[defaults]\nvault_identity_list = global@/path/to/ansible_vault_keyring, personal@/path/to/ansible_vault_keyring\n```\n\nIf like me you install with [uv](https://github.com/astral-sh/uv/), you will find the binary in whatever [bin directory](https://docs.astral.sh/uv/concepts/tools/#the-bin-directory) it uses, and you should refer to that uv documentation to find the path to the standalone executable. For me this is `~/.local/bin/ansible-vault-keyring`, and I have `~/.local/bin` in my `PATH` environment variable.\n\nNow when a password is needed by ansible, it will invoke the `ansible-vault-keyring` tool to get the password from the keyring.\n\n### How Ansible finds config files\n\nAnsible will load settings from the first [ansible.cfg](https://docs.ansible.com/ansible/latest/reference_appendices/config.html) file it finds from :-\n\n1. The file in the `ANSIBLE_CONFIG` environment variable.\n2. The file `ansible.cfg` file in the current working directory.\n3. The file `~/.ansible.cfg` file (in the user's home directory).\n4. The file `/etc/ansible/ansible.cfg` file (in the system ansible config directory).\n\n## Security Considerations.\n\nThe file is stored in the system keyring, for example \n[gnome-keyring](https://wiki.gnome.org/Projects/GnomeKeyring) or [OSX-Keychain](https://support.apple.com/en-gb/guide/keychain-access/welcome/mac). It does this using the [keyring](https://pypi.org/project/keyring/) python package.\n\nThis means that the password is stored in plain text in the system keyring, and can be read by anyone with access to the system keyring, but this is true for all passwords stored in a system keyring.\n\nAdditionally, the password is passed through the python process running the `ansible-vault-keyring` tool.\n\nHowever in reality this is likely to be at least as secure as copying+pasting the passwords from a password manager,\nand will certainly be better than reusing a password, or writing it on a post it note stuck to your monitor.\n\n## Credits\n\nThis tool was heavily inspired by [vault-keyring-client.py](https://github.com/ansible-community/contrib-scripts/blob/main/vault/vault-keyring-client.py) from ansible-community's contrib scripts.\n\nIt is either a rewrite or a fork depending on your take, and thus I consider it a derivative work. See the [LICENSE](LICENSE) file for details of the original authors of [vault-keyring-client.py](https://github.com/ansible-community/contrib-scripts/blob/main/vault/vault-keyring-client.py).\n",
"bugtrack_url": null,
"license": null,
"summary": "Allows ansible-vault to use the system keyring for storing vault passwords",
"version": "0.2.0",
"project_urls": null,
"split_keywords": [],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "3680224379fd7de7ac259eadf93edede2c4b1456d81cf7843b96e06d0199deec",
"md5": "a700a67ceee4c8e4955a0be01d447382",
"sha256": "51d4c0c6be761924d68c8dfb316af48896641d4ebfbe6e543b65335a1739914a"
},
"downloads": -1,
"filename": "ansible_vault_keyring-0.2.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "a700a67ceee4c8e4955a0be01d447382",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.12",
"size": 17000,
"upload_time": "2024-11-26T01:53:53",
"upload_time_iso_8601": "2024-11-26T01:53:53.291670Z",
"url": "https://files.pythonhosted.org/packages/36/80/224379fd7de7ac259eadf93edede2c4b1456d81cf7843b96e06d0199deec/ansible_vault_keyring-0.2.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "8e0d61e4cf4bbd4641029946212f3676135feb05c3162e62b1656814a3b1e83f",
"md5": "be612f08faa6d67094c5d1528c901d75",
"sha256": "4f97bbd2e06bb331d8f12ef665040a7db102fd153cf13c0b94c67e8d3d411fc2"
},
"downloads": -1,
"filename": "ansible_vault_keyring-0.2.0.tar.gz",
"has_sig": false,
"md5_digest": "be612f08faa6d67094c5d1528c901d75",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.12",
"size": 34469,
"upload_time": "2024-11-26T01:53:54",
"upload_time_iso_8601": "2024-11-26T01:53:54.824235Z",
"url": "https://files.pythonhosted.org/packages/8e/0d/61e4cf4bbd4641029946212f3676135feb05c3162e62b1656814a3b1e83f/ansible_vault_keyring-0.2.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-11-26 01:53:54",
"github": false,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"lcname": "ansible-vault-keyring"
}
