Best practice with keybase pgp decrypt and aws secrets

I’m using terraform to generate a user’s access and secret key, and then using that information in ansible to provision an installation of some other software.

using the suggested doc to aquire this with

terraform output encrypted_secret | base64 --decode | keybase pgp decrypt

…usually result in me having to type in the keybase password on the next line.

I’m wondering what is the best approach to automating this operation to aquire that data. I know ansible has the expect: command, but I wanted to see if there are any better recommended ways in decrypting this information.

somethign else I’m wondering is - can we generate pgp keys on a new system without an internet connection and automatically provide a password to decrypt / avoid it?

terraform provides an encrypted secret for aws ami access, but no automation can be achieved with that key unless we have the means to decrypt it in an automated fashion.