Why not environment variable to store vault secrets ?
33 views
Skip to first unread message
Gabriel Lewertowski
Nov 5, 2019, 3:14:23 PM11/5/19
to Ansible Development
Hi !
I wrote the PR 64383 to add an option for using environment to store vault secrets. The PR was rejected, I would like to know more about why storing secrets in environment is discouraged.
If the variable is exported, it's of course not completely safe, as it allows processes to read the password in /proc/$PID/environ... but it can be prevented with AppArmor/Selinux. Anyway, storing secrets in cleartext files as it is currently recommended is not safe either.
My idea was that with this feature, it would be possible to do :
read VAULT_PASSWORD
VAULT_PASSWORD=$VAULT_PASSWORD ansible-playbook ... --vault-password-env "VAULT_PASSWORD"
Nothing stays in the environment, nor in shell history, nor in cleartext file...
Maybe the developpers fear that some users could do things like :
export VAULT_PASSWORD="MYPASSWORD"
ansible-playbook ...
which is of course a bad idea because the password is written in shell history...
bcoca who reviewed the PR says it's achievable by using a vault script which reads the environment, this is true... but obviously more "hackish" : you and all those using the playbook must store the script, all must always use the same name for the the variable. and you have to store the variable in the environment, which is less safe than the behavior with "read VAULT_PASSWORD; VAULT_PASSWORD=$VAULT_PASSWORD ansible-playbook ..."
Thanks !
GL
Sam Doran
Nov 12, 2019, 10:43:38 AM11/12/19
to Gabriel Lewertowski, Ansible Development
Gabriel,
> Maybe the developpers fear that some users could do things like :
> export VAULT_PASSWORD="MYPASSWORD"
> ansible-playbook ...
>
> which is of course a bad idea because the password is written in shell history...
That's pretty much it: we don't want to encourage folks to store passwords in environment variables.
---
Sam
> Maybe the developpers fear that some users could do things like :
> export VAULT_PASSWORD="MYPASSWORD"
> ansible-playbook ...
>
> which is of course a bad idea because the password is written in shell history...
---
Sam
Fess Mage
Jan 22, 2020, 7:16:58 AM1/22/20
to Ansible Development
That's pretty much it: we don't want to encourage folks to store passwords in environment variables.
The question is - why? Obviously env var is more secure than plain text file, which is current default for ansible. Of course its not the best available option, but still - better than now.
Reply all
Reply to author
Forward
0 new messages