How ansible vault is safe when using scripts?
59 views
Skip to first unread message
R Batchen
Mar 22, 2022, 7:05:25 AM3/22/22
to Ansible Project
Hey,
I dont understand how ansible vault is safe if i want to use in a script i need to give ansible
the file where the password is saved in plain text.. so i dont get it
i do get it being safe if i do a prompts for the password with --ask-vault-pass
but when i point to ansible using --vault-password-file or export global variable with pass it is saved on the system\file as plain text
what am i missing?
Thanks!
Stefan Hornburg (Racke)
Mar 22, 2022, 7:16:01 AM3/22/22
to ansible...@googlegroups.com
Regards
Racke
>
> Thanks!
>
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com <mailto:ansible-proje...@googlegroups.com>.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4ae3f1e6-f4c0-4214-b0a4-d2c5208dcfd6n%40googlegroups.com <https://groups.google.com/d/msgid/ansible-project/4ae3f1e6-f4c0-4214-b0a4-d2c5208dcfd6n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
Automation expert - Ansible and friends
Linux administrator & Debian maintainer
Perl Dancer & conference hopper
Abhijeet Kasurde
Mar 22, 2022, 7:47:11 AM3/22/22
to ansible...@googlegroups.com
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/918761a2-9f59-b7db-860a-f3d4456a58d3%40linuxia.de.
--
Thanks,
Abhijeet Kasurde
R Batchen
Mar 27, 2022, 10:17:13 AM3/27/22
to Ansible Project
I have tried using the gpg script works amazing BUT - the gpg file askes randomly the password again and again so i cannot really relay on that.
i used like this :
gpg-wrapper.sh -
#!/bin/sh
VAULT_PW_FILENAME="/base/vaults/vault.gpg"
gpg --quiet --batch --use-agent --decrypt $VAULT_PW_FILENAME
VAULT_PW_FILENAME="/base/vaults/vault.gpg"
gpg --quiet --batch --use-agent --decrypt $VAULT_PW_FILENAME
ansible.cfg -
vault_password_file = /base/vaults/gpg-wrapper.sh
encrypted like this:
gpg --quiet --batch --use-agent --decrypt vault
ב-יום שלישי, 22 במרץ 2022 בשעה 13:16:01 UTC+2, ra...@linuxia.de כתב/ה:
R Batchen
Mar 27, 2022, 10:19:29 AM3/27/22
to Ansible Project
sorry i encrypted like this:
gpg -c vault
ב-יום ראשון, 27 במרץ 2022 בשעה 17:17:13 UTC+3, R Batchen כתב/ה:
Dick Visser
Mar 27, 2022, 12:56:24 PM3/27/22
to ansible...@googlegroups.com
An option would be to use gpg-agent. Depending on your setup that
might automagically unlock when you sign in to the computer you use to
run ansible playbooks.
For example I know that on macOS you can store the gpg password in the
OS' keychain.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/da0335a2-13be-4d56-b4e6-0eef2f0f9872n%40googlegroups.com.
--
Dick Visser
Senior Trust & Identity Infrastructure Architect
GÉANT
might automagically unlock when you sign in to the computer you use to
run ansible playbooks.
For example I know that on macOS you can store the gpg password in the
OS' keychain.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/da0335a2-13be-4d56-b4e6-0eef2f0f9872n%40googlegroups.com.
--
Dick Visser
Senior Trust & Identity Infrastructure Architect
GÉANT
R Batchen
Mar 29, 2022, 4:49:00 AM3/29/22
to Ansible Project
I work on ubuntu host and the ansible playbooks run on docker container with ubuntu
ill try to look into gpg agent for docker container - thanks!
ב-יום ראשון, 27 במרץ 2022 בשעה 19:56:24 UTC+3, dick....@geant.org כתב/ה:
Reply all
Reply to author
Forward
0 new messages