How do I run Ansible Azure playbooks while avoiding storing credentials in files?

HOW TO -️ October 18, 2021


  1. We use Ansible to provision and manage Azure infrastructure. At the moment we run Ansible "manually" i.e. we manually execute playbooks for various automated tasks. No CI infrastructure.
  2. Probably not relevant but we manage our inventory using dynamic script
  3. We are encouraged to be as secure as possible i.e.

    1. Don't store Vault passwords in ~/.vault_pass or in any local file
    2. Don't store Azure secrets in ~/.azure/credentials
    3. Don't store anything secure in .bashrc.

In such a scenario, I am having trouble coming up with a coherent strategy to ensure that my playbooks can access Azure secrets, while following the guidelines above.


How can I avoid storing Ansible Vault and Azure credentials on files, while still ensuring my playbooks can access them?

What I've tried

So far I have come up with a wrapper script that

  1. asks the user for Vault password
  2. Uses that to decrypt a Vaulted Shell script
  3. Evaluates the script, which loads Azure environment variables into the environment;
  4. Runs the playbook on the environment that has been thus set.

Any better (more elegant, less complicated, more "Ansible") solutions out there?


What bothers you most in this workflow? @KonstantinSuvorov mainly it's the number of hoops I need to jump to achieve what seems (to me at least) a fairly common requirement in compliance-heavy enterprises.