Integrating Ansible Vault With Bitwarden

  • Wed, Apr 2, 2025
  • 3-minute read

Ansible loves Bitwarden

The Journey to Better Secret Management

This is a long overdue article. Like many in the infrastructure world, I’m a huge fan of Ansible. Once properly configured, it transforms infrastructure management from a daunting task into a “sit back and watch” process. slight exaggeration there

I regularly push my roles and playbooks to source control. This is where ansible-vault comes in - it’s an essential tool for keeping sensitive data secure within you Ansible roles and plays.

However, ansible-vault used annoy me: it either constantly prompts for passwords, or requires storing vault passwords in plaintext files on the filesystem. The latter option never sat well with me - keeping passwords in plaintext, even if access-restricted, feels like playing with fire.

Last year, I came across an interesting discovery: Ansible’s --vault-password-file parameter isn’t limited to static files - it can execute scripts!

Enter Bitwarden

Bitwarden has become my go-to password manager these days. It’s open-source, has a strong reputation, and comes with excellent CLI tooling. Surprisingly, despite both tools being popular in the DevOps community, there wasn’t any officially endorsed or community-driven integration between Bitwarden and Ansible Vault.

So, I decided to write one!

The Solution: ansible-vault-bw

I created a simple bash script that serves as a bridge. It leverages Bitwarden CLI to securely retrieve vault passwords and feed them to ansible-vault, eliminating both the constant password prompts and the need for plaintext password files.

Here’s a quick demo: ansible-vault-bw in action

Here’s how it works:

  1. You unlock your BW vault and export a BW session token under the environment variable $BW_SESSION
  2. The script uses the bw command and the preset BW session token to fetch your Ansible Vault password from a secure Bitwarden login entry
  3. ansible-vault reads this password directly as an output of the script that’s running the whole show

Key Benefits

  • No More Password Prompts: Once your Bitwarden vault is unlocked, operations flow smoothly
  • Enhanced Security: Passwords stay secure within Bitwarden’s encrypted storage
  • Improved Developer Experience: Edit encrypted files directly in VS Code without manual decryption
  • Flexibility: Support for multiple vault passwords through different Bitwarden entries

Getting Started

The setup is straightforward. I won’t get into more details here as steps and code are documented at length directly into the script’s repo: https://github.com/guiand888/ansible-vault-bitwarden

Contributions welcome

The code is available on GitHub. Feel free to try it out, contribute, or adapt it to your needs!

I’ve been using this solution to easily replace vault password files for 1+ year now. I am sure it could be improved, and there’s still one item I’d like to add: shell completion. If you’ve got ideas on how to do that, feel free to send a message or a PR!

InfrastructureSecurity ansiblesecurityautomationbitwardendevops