python-ansible-vault-rotate

Advanced Python CLI to rotate the secret used for ansible vault inline secrets and files in a project

Features

• Reencrypt vault files
• Reencrypt inline vaulted secrets

Installation

It is strongly recommended to use pipx instead of pip if possible:

pipx install ansible-vault-rotate

Otherwise you can also use plain pip, but be warned that this might collide with your ansible installation globally!

pip install ansible-vault-rotate

Usage

Rekey given vault secret with new secret specified on CLI

ansible-vault-rotate --old-vault-secret-source file://my-vault-password \
                     --new-vault-secret-source my-new-secret \
                     --update-source-secret

Rekey only specific files (e.g. when using multiple keys per stage)

ansible-vault-rotate --old-vault-secret-source file://my-vault-password-<stage> \
                     --new-vault-secret-source my-new-secret \
                     --file-glob-pattern group_vars/<stage>/*.yml \
                     --update-source-secret

Getting help about all args

ansible-vault-rotate --help

Development

For development, you will need:

• Python 3.9 or greater
• Poetry

Install

poetry install

Run tests

poetry run pytest