diff --git a/playbooks/bridge.yaml b/playbooks/bridge.yaml
index 44b173bf29..d5446b7d29 100644
--- a/playbooks/bridge.yaml
+++ b/playbooks/bridge.yaml
@@ -23,6 +23,7 @@
     - root-keys
     - ansible-cron
     - cloud-launcher-cron
+    - edit-secrets-script
   tasks:
     - name: Allow Zuul to trigger Ansible
       authorized_key:
diff --git a/playbooks/roles/edit-secrets-script/README.rst b/playbooks/roles/edit-secrets-script/README.rst
new file mode 100644
index 0000000000..16196aec44
--- /dev/null
+++ b/playbooks/roles/edit-secrets-script/README.rst
@@ -0,0 +1,3 @@
+This role installs a script called `edit-secrets` to /usr/local/bin
+that allows you to safely edit the secrets file without needing to
+manage gpg-agent yourself.
diff --git a/playbooks/roles/edit-secrets-script/files/edit-secrets b/playbooks/roles/edit-secrets-script/files/edit-secrets
new file mode 100644
index 0000000000..5f1a22d2e0
--- /dev/null
+++ b/playbooks/roles/edit-secrets-script/files/edit-secrets
@@ -0,0 +1,2 @@
+#!/bin/sh
+gpg-agent --daemon emacs /root/passwords/passwords.gpg
diff --git a/playbooks/roles/edit-secrets-script/tasks/main.yaml b/playbooks/roles/edit-secrets-script/tasks/main.yaml
new file mode 100644
index 0000000000..21800d5f33
--- /dev/null
+++ b/playbooks/roles/edit-secrets-script/tasks/main.yaml
@@ -0,0 +1,5 @@
+- name: Copy edit-secrets script
+  copy:
+    mode: 0750
+    src: edit-secrets
+    dest: /usr/local/bin/edit-secrets