@ -1,8 +1,9 @@
#!/usr/bin/env python
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# -*- coding: utf-8 -*-
# (c) 2014, Matt Martz <matt@sivel.net>
# (c) 2014, Matt Martz <matt@sivel.net>
# (c) 2016, Justin Mayer <https://justinmayer.com/>
#
#
# This file is part of Ansible
# This file is part of Ansible .
#
#
# Ansible is free software: you can redistribute it and/or modify
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# it under the terms of the GNU General Public License as published by
@ -17,30 +18,42 @@
# You should have received a copy of the GNU General Public License
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
#
#
# =============================================================================
#
#
# Script to be used with vault_password_file or --vault-password-file
# This script is to be used with vault_password_file or --vault-password-file
# to retrieve the vault password via your OS es native keyring application
# to retrieve the vault password via your OS 's native keyring application.
#
#
# This script requires the ``keyring`` python module
# This file *MUST* be saved with executable permissions. Otherwise, Ansible
# will try to parse as a password file and display: "ERROR! Decryption failed"
#
#
# Add a [vault] section to your ansible.cfg file,
# The `keyring` Python module is required: https://pypi.python.org/pypi/keyring
# the only option is 'username'. Example:
#
# By default, this script will store the specified password in the keyring of
# the user that invokes the script. To specify a user keyring, add a [vault]
# section to your ansible.cfg file with a 'username' option. Example:
#
# [vault]
# username = 'ansible-vault'
#
# Another optional setting is for the key name, which allows you to use this
# script to handle multiple project vaults with different passwords:
#
#
# [vault]
# [vault]
# username = 'ansible_vault'
# keyname = 'ansible-vault-yourprojec t'
#
#
# Additionally, it would be a good idea to configure vault_password_file in
# You can configure the `vault_password_file` option in ansible.cfg:
# ansible.cfg
#
#
# [defaults]
# [defaults]
# ...
# ...
# vault_password_file = /path/to/vault-keyring.py
# vault_password_file = /path/to/vault-keyring.py
# ...
# ...
#
#
# To set your password: python /path/to/vault-keyring.py set
# To set your password, `cd` to your project directory and run:
#
# python /path/to/vault-keyring.py set
#
#
# If you choose to not configure the path to vault_password_file in ansible.cfg
# If you choose not to configure the path to ` vault_password_file` in
# your ansible-playbook command may look like:
# ansible.cfg, your `ansible-playbook` command might look like:
#
#
# ansible-playbook --vault-password-file=/path/to/vault-keyring.py site.yml
# ansible-playbook --vault-password-file=/path/to/vault-keyring.py site.yml
@ -51,29 +64,35 @@ ANSIBLE_METADATA = {'status': ['preview'],
import sys
import sys
import getpass
import getpass
import keyring
import keyring
import ConfigParser
import ansible . constants as C
import ansible . constants as C
def main ( ) :
def main ( ) :
( parser , config_path ) = C . load_config_file ( )
( parser , config_path ) = C . load_config_file ( )
try :
if parser . has_option ( ' vault ' , ' username ' ) :
username = parser . get ( ' vault ' , ' username ' )
username = parser . get ( ' vault ' , ' username ' )
except ConfigParser . NoSectionError :
else :
sys . stderr . write ( ' No [vault] section configured in config file: %s \n ' % config_path )
username = getpass . getuser ( )
sys . exit ( 1 )
if parser . has_option ( ' vault ' , ' keyname ' ) :
keyname = parser . get ( ' vault ' , ' keyname ' )
else :
keyname = ' ansible '
if len ( sys . argv ) == 2 and sys . argv [ 1 ] == ' set ' :
if len ( sys . argv ) == 2 and sys . argv [ 1 ] == ' set ' :
intro = ' Storing password in " {} " user keyring using key name: {} \n '
sys . stdout . write ( intro . format ( username , keyname ) )
password = getpass . getpass ( )
password = getpass . getpass ( )
confirm = getpass . getpass ( ' Confirm password: ' )
confirm = getpass . getpass ( ' Confirm password: ' )
if password == confirm :
if password == confirm :
keyring . set_password ( ' ansible ' , username , password )
keyring . set_password ( keyname , username , password )
else :
else :
sys . stderr . write ( ' Passwords do not match \n ' )
sys . stderr . write ( ' Passwords do not match \n ' )
sys . exit ( 1 )
sys . exit ( 1 )
else :
else :
sys . stdout . write ( ' %s \n ' % keyring . get_password ( ' ansible ' , username ) )
sys . stdout . write ( ' {} \n ' . format ( keyring . get_password ( keyname ,
username ) ) )
sys . exit ( 0 )
sys . exit ( 0 )