Securely retrieve secrets from Bitwarden Secrets Manager and use them in your Ansible playbooks.
The Bitwarden Secrets Manager Collection requires the bitwarden-sdk
package. You can install it by
running the following command:
pip install bitwarden-sdk
You can install the Bitwarden Secrets Manager Collection by running:
ansible-galaxy collection install bitwarden.secrets
Before running your playbook, you need to set the BWS_ACCESS_TOKEN
environment variable:
# the line below will prevent lines with leading spaces from being saved to bash history
export HISTCONTROL=ignorespace
# the space in the line below keeps your access token out of bash history
export BWS_ACCESS_TOKEN=<your_access_token>
Alternatively, you may supply the access token as a parameter to the bitwarden.secrets.lookup
plugin:
- name: A simple example
hosts: localhost
vars_prompt:
- name: "your_access_token"
prompt: "Enter your Bitwarden access token"
private: yes
vars:
some_secret: "{{ lookup('bitwarden.secrets.lookup', '<your_secret_id>', access_token=your_access_token) }}"
[!Note]\ We are using a
vars_prompt
to avoid storing the access token in the playbook. While there are many ways to pass the access token to the lookup plugin, we recommend against storing it in the playbook itself.
For more information on how to use the Bitwarden Secrets Manager Collection, see the documentation.
Once you've updated your playbook to use the Bitwarden Secrets Manager lookup plugin, you can run it
with the ansible-playbook
command:
ansible-playbook <path_to_your_playbook.yml>
If your Ansible controller is running macOS, you may need to set the following environment variable to avoid an error related to fork safety:
export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
See running on macos as a control node and this GitHub issue for more details.