python-ansible-vault-rotate
Advanced Python CLI to rotate the secret used for ansible vault inline secrets and files in a project
Features
- Reencrypt vault files
- Reencrypt inline vaulted secrets
Installation
It is strongly recommended to use pipx instead of pip if possible:
pipx install ansible-vault-rotate
Otherwise you can also use plain pip, but be warned that this might collide with your ansible installation globally!
pip install ansible-vault-rotate
Usage
Rekey given vault secret with new secret specified on CLI
ansible-vault-rotate --old-vault-secret-source file://my-vault-password \
--new-vault-secret-source my-new-secret \
--update-source-secret
--new-vault-secret-source my-new-secret \
--update-source-secret
Rekey only specific files (e.g. when using multiple keys per stage)
ansible-vault-rotate --old-vault-secret-source file://my-vault-password-<stage> \
--new-vault-secret-source my-new-secret \
--file-glob-pattern group_vars/<stage>/*.yml \
--update-source-secret
--new-vault-secret-source my-new-secret \
--file-glob-pattern group_vars/<stage>/*.yml \
--update-source-secret
Getting help about all args
ansible-vault-rotate --help
Development
For development, you will need:
- Python 3.9 or greater
- Poetry
Install
poetry install
Run tests
poetry run pytest