I am looking for a way to securely handle passwords in ansible. Basically I'd like to avoid typing my password every time root or administrator access is required on a remote machine, but maintain some semblance of security (I know any solution will reduce security slightly, but that's an okay tradeoff when doing lots of development work).
Something akin to ssh-agent would be perfect, where I can type my password once (when beginning dev work or at login) and then it will not prompt again while I remain logged in. Ideally the solution would support both Linux & Windows.
I know I can set ansible_password in a configuration file, or set NOPASSWD on Linux machines, but neither of those options are very secure, and the latter doesn't work for Windows.
Maybe some kind of encrypted vault that can be decrypted once and stored in a secure(ish) place in memory that ansible can access?
Most of your secret data should be encrypted using ansible vault. Then you just provide the vault password when running.
Since you don't want to be typing the password every single run if you look, you can find that there are several examples that you can find out on the internet about how to do this, but you can basically set a
vault_password_file =in your ansible.cfg to point at a script. In that script, you can use the GPG agent to temporarily store your vault credentials for a time.