Bitwarden offers an integration with Ansible to retrieve secrets from Secrets Manager and inject them into your Ansible playbook. The lookup plugin will inject retrieved secrets as masked environment variables inside an Ansible playbook. To setup the collection:
We recommend installing Python packages in a Python virtual environment.
Current version of Ansible installed on your system.
Bitwarden Secrets Manager with an active service account.
Prior to setting up the Ansible collection, we recommend that you also open Secrets Manager to access your access token and any secrets you wish to include in the setup.
The following guide is a setup example for the Bitwarden collection using a Linux machine.
Install the Bitwarden SDK:Bash
Install bitwarden.secrets collection:Bash
Now that the Ansible collection has been installed, we can begin calling Bitwarden secrets from an Ansible playbook with
bitwarden.secrets.lookup. The following section will include examples to demonstrate this process.
macOS users may need to set the following environment variable in shell in order to avoid Ansible issues upstream.
To fetch secrets from Secrets Manager in your playbook, there are two methods:
Using the Secrets Manager, we can securely set our access token as an environment variable in the shell and use the playbook to retrieve the secret. To authenticate the access token:
In the shell, run the following command to set your access token environment variable:Bash
Now that the environment variable has been set, we can use the lookup plugin to populate variables in our playbook. For example:Bash
BWS_ACCESS_TOKEN as an environment variable, the access token can be referenced without including the raw access token value in the playbook.
The Secrets Manager access token can also be referenced within the playbook itself. This method would not require you to use the
BWS_ACCESS_TOKEN environment variable in your shell, however, the access token value will be stored in the playbook itself.
Access tokens may be included in the playbook with the following example:Bash
Using this method, multiple access tokens may be referenced in a single playbook.
Bitwarden self-hosted users can retrieve secrets from their Bitwarden server by including the
The following is an example of a playbook file with several configuration options.
In the example above the
CUSTOM_ACCESS_TOKEN_VAR demonstrates that you may include multiple, different access tokens. These do not have to be hard carded and can be supplied securely to your playbook.
In addition to the
secret_id, several fields can be included in the
bitwarden.secrets.lookup. A The following JSON object includes all of the fields that can be referenced in the playbook lookup:
To retrieve additional fields such as
"note", the following command can be added to the playbook: