I previously wrote about properly securing your local Ansible vault with strong encryption, but what if you have to work with several teams, each with a different vault, and not only that… you also have your own vault?

I needed a way to conveniently change the vault I’m using at any moment, but since ANSIBLE_VAULT_PASSWORD_FILE doesn’t let you use flags, this script let’s you manage that.

Check the code here: ansible-vault-selector

This is what it does in a nutshell:

  1. keep several OpenPGP encrypted vault passwords in a vaults directory
  2. set any one of them to be the one you need to work with (the default)
  3. call vault.sh (place it in ~/bin, for instance) without any arguments arguments and get the vault

So how do you use it?

In ~/.ansible/vaults/ place for each vault:

  • PGP encrypted files
  • or clear text files (this is very INSECURE, please do not use for important stuff)

A particularly valuable hint is that these files can be symbolic links to other files, so you can consider these like the “labels”:

rui@ansible-control-node:~$ ls -laF ~/.ansible/vaults/
total 8
drwxrwxr-x. 2 rui rui  166 Sep 24 15:47 ./
drwx------. 8 rui rui  156 Sep 24 13:21 ../
lrwxrwxrwx. 1 rui rui   74 Sep 24 14:16 aap-devel -> /home/rui/git/aap/aap-controller-configuration/vault/vault-aap-devel.asc
lrwxrwxrwx. 1 rui rui   74 Sep 24 14:20 aap-prod -> /home/rui/git/aap/aap-controller-configuration/vault/vault-aap-prod.asc
lrwxrwxrwx. 1 rui rui   67 Sep 24 15:43 aap-prod-team1 -> /home/rui/git/aap/orgs/team1/vault/vault-aap-prod.asc
lrwxrwxrwx. 1 rui rui   67 Sep 24 15:43 aap-devel-team1 -> /home/rui/git/aap/orgs/team1/vault/vault-aap-devel.asc
lrwxrwxrwx. 1 rui rui   44 Sep 24 12:08 automation -> /etc/ansible/vaults/team-automation.asc
**lrwxrwxrwx. 1 rui rui   43 Sep 24 15:47 default -> /home/rui/.ansible/vaults/personal**
-rw-rw-r--. 1 rui rui 1016 Sep 24 11:59 personal    <- DEFAULT IS POINTING TO THIS FILE
lrwxrwxrwx. 1 rui rui   47 Sep 24 12:17 sysadm -> /etc/ansible/vaults/team-sysadm.asc
-rw-rw-r--. 1 rui rui    4 Sep 24 12:47 insecure
rui@ansible-control-node:~$

As you can see from the ’ls’ above, the default vault is currently my personal vault, but if you type vault.sh -l it will give you a more or less prettier output.

When I need to work with files prtected with Team1’s vault, I can just change the default.

As I have set ANSIBLE_VAULT_PASSWORD_FILE=~/bin/vault.sh I can just do…

rui@ansible-control-node:~$ $ANSIBLE_VAULT_PASSWORD_FILE -s aap-prod-team1
Changing default vault from 'personal' to 'aap-prod-team1'
rui@ansible-control-node:~$ ls -laF ~/.ansible/vaults/
total 8
drwxrwxr-x. 2 rui rui  166 Sep 24 15:47 ./
drwx------. 8 rui rui  156 Sep 24 13:21 ../
lrwxrwxrwx. 1 rui rui   74 Sep 24 14:16 aap-devel -> /home/rui/git/aap/aap-controller-configuration/vault/vault-aap-devel.asc
lrwxrwxrwx. 1 rui rui   74 Sep 24 14:20 aap-prod -> /home/rui/git/aap/aap-controller-configuration/vault/vault-aap-prod.asc
lrwxrwxrwx. 1 rui rui   67 Sep 24 15:43 aap-prod-team1 -> /home/rui/git/aap/orgs/team1/vault/vault-aap-prod.asc <- AND NOW POINTS TO THIS SYMLINK
lrwxrwxrwx. 1 rui rui   67 Sep 24 15:43 aap-devel-team1 -> /home/rui/git/aap/orgs/team1/vault/vault-aap-devel.asc
lrwxrwxrwx. 1 rui rui   44 Sep 24 12:08 automation -> /etc/ansible/vaults/team-automation.asc
lrwxrwxrwx. 1 rui rui   43 Sep 24 15:47 default -> /home/rui/.ansible/vaults/aap-prod-team1
-rw-rw-r--. 1 rui rui 1016 Sep 24 11:59 personal
lrwxrwxrwx. 1 rui rui   47 Sep 24 12:17 sysadm -> /etc/ansible/vaults/team-sysadm.asc
-rw-rw-r--. 1 rui rui    4 Sep 24 12:47 insecure
rui@ansible-control-node:~$

At any time you can tell it to give you another vault (only insecure is showing the real value, btw):

rui@ansible-control-node:~$ $ANSIBLE_VAULT_PASSWORD_FILE -s personal
Changing default vault from 'aap-prod-team1' to 'personal'
rui@ansible-control-node:~$ $ANSIBLE_VAULT_PASSWORD_FILE
yecOapOshitukshiacedagetyaitonJuggormUlregMocBupzyFlogDiUbBewabNiJim!twamitMowWajKupCowjovGettocmyHewyoccyldEwmetsodyangOak1queg
rui@ansible-control-node:~$ $ANSIBLE_VAULT_PASSWORD_FILE -v insecure
ola
rui@ansible-control-node:~$

I hope it’s as useful, or more, to you as it is to me.

Enjoy!