vaultenv

Ansible vault environment variable exporting.

CLI interface to export Ansible vault values as environment variables.

Setup

Use vaultenv with a virtualenv (e.g. using virtualenv-wrapper):

mkvirtualenv vaultenv

For normal usage, install from PyPi:

pip install vaultenv

For development, install test requirements and local source:

pip install nose PyHamcrest
pip install -e .

Then, run the vaultenv CLI:

vaultenv --help

Usage

At its simplest, vaultenv takes the path to an Ansible vault file and prompts for the vault password:

# Run vaultenv using the test vault (which uses the password "secret")
vaultenv ./vaultenv/tests/vault.yml

As with other Ansible vault operations, vaultenv also accepts a password file:

echo "secret" > /tmp/vault-pass.txt
vaultenv --vault-password-file /tmp/vault-pass.txt ./vaultenv/tests/vault.yml

In the likely event that the vault contains more variables than necessary, use a regex matcher:

vaultenv --matcher "^b" --vault-password-file /tmp/vault-pass.txt ./vaultenv/tests/vault.yml

To control the output format, use a Jinaj2 template string:

vaultenv --template-string "{{ key | lower }}" --matcher "^b" --vault-password-file /tmp/vault-pass.txt ./vaultenv/tests/vault.yml

Some format styles are built-in:

vaultenv --terraform --matcher "^b" --vault-password-file /tmp/vault-pass.txt ./vaultenv/tests/vault.yml

Settings

Default values for commonly used options can be written to ~/.vaultenv using config format:

[production]
vault_file = /path/to/vault
vault_password_file = /path/to/vault_password_file
template_string = TF_VAR_{{ key }}
matcher = ^log

Then, simply use the section name as the vault file path:

vaultenv production

In this form, it will likely be useful to eval the outcome:

eval "$(vaultenv production)"