How to define a script that provides the become password in ansible

Question

I have successfully set up a vault_password_file that contains a script to read the password from Bitwarden.

I want to do the same for the "become password" but don't see where and how that would be possible.

The ansible.cfg is:

[defaults]
inventory=./inventory.yml
vault_password_file=./ansible-vault-pass.sh

[privilege_escalation]
become=True

Ansible-vault-pass is the following, though the details don't matter, this works:

#!/bin/bash

_BW_ENTRY_ID="my-ansible-vault-pass"
_bw_session="$(bw unlock --raw)"
echo "$(bw get password ${_BW_ENTRY_ID} --session ${_bw_session} --raw)"

I have a similar script to look up and return the become password, but cannot find how to hook that into the config to be used instead of prompting the user.

I am aware of setting this in group_vars/all/clear.yml, e.g. as follows:

ansible_become_password: "{{ vault_enabled_ansible_become_password }}"

And then storing the password in the vault. Problem with that approach is that the vault is shared amongst sysadmins that can run ansible on the server fleet. But I don't want any such syadmin to be able to read the sudo password of their colleagues. Hence the approach with Bitwarden/script.

Answer 1

The problem with these kinds of questions is that there are several answers, and the "right" one depends on your workflow and tolerance for customization. That said, here are a few I know of:

• Using a dynamic inventory script to populate the ansible_become_pass var based on whatever logic you wish
• Copy a bitwarden lookup plugin into lookup_plugins and then set ansible_become_pass: '{{ lookup("bitwarden", "whatever", field="password") }}'
• Copy the become plugin into become_plugins and modify it to return the pass from get_option("become_pass") using a mechanism of your choice
• Using a custom ansible-playbook-with-bitwarden shell script that will populate $ANSIBLE_BECOME_PASS before launching ansible-playbook