vault-keepassxc-client is a client script for Ansible Vault to work with KeePassXC (keepassxreboot/keepassxc). Passwords for vaults are retrieved from the password manager.

To remain a tiny tool F. Zhang's git-credential-keepassxc program is used. It uses KeePassXC's socket protocol, originally written for web browser extensions.

The client can be registered for individual vault IDs in ansible.cfg:

[defaults]
vault_identity_list = test1@/usr/local/bin/vault-keepassxc-client

The Git credential client needs to be configured (documentation; caller limitations are left as an exercise to the reader):

git-credential-keepassxc configure

Password entries in KeePassXC are recognized via URLs of the form ansible-vault://<vault_id>/. They need to be in a group named Ansible. Such entries can be configured manually or via the command line. Without --generate-random the user is prompted for the password.

Example:

$ vault-keepassxc-client --vault-id test1 --generate-random --set

Read the password back:

$ vault-keepassxc-client --vault-id test1 --get
AbXy[…]1234