Read vault password using gpg-agent
461 views
Skip to first unread message
Dale
Aug 1, 2014, 1:49:05 AM8/1/14
to ansible...@googlegroups.com
Hi Ansible users,
I've been trying to use vault lately but I got tired of having to enter my passphrase every time I ran ansible-playbook. I didn't want to put my passphrase into a file on disk, either. Luckily, the next major release of Ansible will include the ability for vault_password_file to point at a script that will be run to get your passphrase.[1] Using this new functionality I wrote a tiny vault_password_file script that reads your passphrase via gpg-agent. gpg-agent will then cache that passphrase for you (by default) so you won't have to enter it every time you run an Ansible command.
I thought others might find this useful. If so, the script can be found at:
To reiterate, as of right now I believe this will only work with Ansible from the Git devel branch.
If an Ansible maintainer thinks this has a place in some more official repository somewhere I'm happy to make a pull request, just give me a hint where it should go.
Regards,
Dale
Michael DeHaan
Aug 1, 2014, 7:37:25 AM8/1/14
to ansible...@googlegroups.com
There's a pull request for direct GPG support in vault as well, that we need to evaluate
"Luckily, the next major release of Ansible will include the ability for vault_password_file to point at a script that will be run to get your passphrase."
FYI - I don't remember merging this one. If we didn't merge that yet, I'm not opposed. Perhaps James did and I didn't notice, but there should be instructions added in docs to reference how to use it before this is complete.
It may be a case of comparing the two submissions, can you please comment on the above pull request?
Thanks!
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEj9N4LwfbYg-PVAPTwmn1WP%3DCaYefPU48vY05XS3QxBWyFuUQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Matt Martz
Aug 1, 2014, 9:18:38 AM8/1/14
to ansible...@googlegroups.com
The PR for using a script for the password file did include some documentation which is available at:
--
Matt Martz
ma...@sivel.net
http://sivel.net/
It is not extensive but does give some information as to what ansible expects.
James merged the PR a few weeks ago.
James merged the PR a few weeks ago.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzxADuiEuwzxk9W_oG86E5D_Yr-yPK_9Er0bJ3cudCEsw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
Matt Martz
ma...@sivel.net
http://sivel.net/
Michael DeHaan
Aug 1, 2014, 10:25:32 AM8/1/14
to ansible...@googlegroups.com
Thanks.
Docs need to indicate when a parameter is version specific, I'll take care of it.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAD8N0v-8qGjx7m5poBTR_h3zJuNQ9eBeV2hutiC4_dNdaQEG7Q%40mail.gmail.com.
Dale
Aug 2, 2014, 1:13:40 PM8/2/14
to ansible...@googlegroups.com
On Fri, Aug 1, 2014 at 6:37 AM, Michael DeHaan <mic...@ansible.com> wrote:
There's a pull request for direct GPG support in vault as well, that we need to evaluate"Luckily, the next major release of Ansible will include the ability for vault_password_file to point at a script that will be run to get your passphrase."FYI - I don't remember merging this one. If we didn't merge that yet, I'm not opposed. Perhaps James did and I didn't notice, but there should be instructions added in docs to reference how to use it before this is complete.It may be a case of comparing the two submissions, can you please comment on the above pull request?Thanks!
I'm sorry, I don't understand. What would you like me to comment on the above pull request for GPG vault file support? I don't have much to say about it, as I think this PR to use GPG for encrypting vault files is orthogonal to my script to use gpg-agent to store your vault passphrase. What I mean is that the PR you cited introduces a new vault encryption method, whereas my script will work with any vault encryption method that respects vault_password_file, including the default AES method and (apparently) this prospective GPG method.
Of course, if you're actually invoking GPG, as in the above PR, then my script is probably not necessary as I expect GPG to use gpg-agent directly. (Though I can't tell if that's working quite right yet in the cited PR.)
Dale
Michael DeHaan
Aug 2, 2014, 1:54:19 PM8/2/14
to ansible...@googlegroups.com
We have in fact merged in the support for the --vault-password-file to take a script (marked chmod +x) that can return the vault password.
We should still see about the gpg encryption method itself as well.
I just hadn't noticed that we merged it, which is all good :)
And yes, you're exactly right - the two PRs are different things all together. The perils of a busy mailing list and too much going on.
We should still see about the gpg encryption method itself as well.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEj9N4LFD-eiJ3DWCVXEY45crsyVhczqOjt-fR%3DLYV1tiQ4NGw%40mail.gmail.com.
Bas Meijer
Aug 6, 2014, 1:06:26 AM8/6/14
to ansible...@googlegroups.com
Would it be possible to extend this to use the ssh-agent?
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgz53Piaxd%3D_9FCtz_MBpNNqEs2h3fdUicDqM0af2wVNBQ%40mail.gmail.com.
Dale
Aug 6, 2014, 2:24:46 AM8/6/14
to ansible...@googlegroups.com
I looked into using ssh-agent first. It *might* be possible, but ssh-agent is really not designed for this purpose. Check out the protocol description for ssh-agent[1]: It really expects to be given asymmetric key data, not passphrases, and it expects to perform challenges/signatures, not to hand back the data that you load into it. You might be able to trick it into storing your passphrase as part of public key parameters and then retrieve it with a "request identities" message, but I generally have a bad feeling about that working now and in the future.
Contrast with gpg-agent which specifically includes the ability to store and retrieve passphrases.
(FWIW I think there is some way to use gpg-agent as a replacement for ssh-agent.[2] I've never tried it.)
Dale
Reply all
Reply to author
Forward
0 new messages