How ansible vault is safe when using scripts?

59 views
Skip to first unread message

R Batchen

unread,
Mar 22, 2022, 7:05:25 AM3/22/22
to Ansible Project
Hey,
I dont understand how ansible vault is safe if i want to use in a script  i need to give ansible
the file where the password  is saved in plain text.. so i dont get it

i do get it being safe if i do a prompts for the password with --ask-vault-pass
but when i point to ansible using --vault-password-file or export global variable with pass it is saved on the system\file as plain text

what am i missing?

Thanks!

Stefan Hornburg (Racke)

unread,
Mar 22, 2022, 7:16:01 AM3/22/22
to ansible...@googlegroups.com
You can use a GPG encrpyted password file with a wrapper script.

Regards
Racke

>
> Thanks!
>
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com <mailto:ansible-proje...@googlegroups.com>.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4ae3f1e6-f4c0-4214-b0a4-d2c5208dcfd6n%40googlegroups.com <https://groups.google.com/d/msgid/ansible-project/4ae3f1e6-f4c0-4214-b0a4-d2c5208dcfd6n%40googlegroups.com?utm_medium=email&utm_source=footer>.


--
Automation expert - Ansible and friends
Linux administrator & Debian maintainer
Perl Dancer & conference hopper

OpenPGP_signature

Abhijeet Kasurde

unread,
Mar 22, 2022, 7:47:11 AM3/22/22
to ansible...@googlegroups.com

R Batchen

unread,
Mar 27, 2022, 10:17:13 AM3/27/22
to Ansible Project
I have tried using the gpg script works amazing BUT - the gpg file askes randomly the password again and again so i cannot really relay on that.
i used like this :

gpg-wrapper.sh -
#!/bin/sh
VAULT_PW_FILENAME="/base/vaults/vault.gpg"
gpg --quiet --batch --use-agent --decrypt $VAULT_PW_FILENAME

ansible.cfg - 
vault_password_file = /base/vaults/gpg-wrapper.sh


encrypted like this:
gpg --quiet --batch --use-agent --decrypt vault


ב-יום שלישי, 22 במרץ 2022 בשעה 13:16:01 UTC+2, ra...@linuxia.de כתב/ה:

R Batchen

unread,
Mar 27, 2022, 10:19:29 AM3/27/22
to Ansible Project
sorry i encrypted like this:
gpg -c vault

ב-יום ראשון, 27 במרץ 2022 בשעה 17:17:13 UTC+3, ‪R Batchen‬‏ כתב/ה:

Dick Visser

unread,
Mar 27, 2022, 12:56:24 PM3/27/22
to ansible...@googlegroups.com
An option would be to use gpg-agent. Depending on your setup that
might automagically unlock when you sign in to the computer you use to
run ansible playbooks.
For example I know that on macOS you can store the gpg password in the
OS' keychain.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/da0335a2-13be-4d56-b4e6-0eef2f0f9872n%40googlegroups.com.



--
Dick Visser
Senior Trust & Identity Infrastructure Architect
GÉANT

R Batchen

unread,
Mar 29, 2022, 4:49:00 AM3/29/22
to Ansible Project
I work on ubuntu host and the ansible playbooks run on docker container with ubuntu
ill try to look into gpg agent for docker container - thanks!
ב-יום ראשון, 27 במרץ 2022 בשעה 19:56:24 UTC+3, dick....@geant.org כתב/ה:
Reply all
Reply to author
Forward
0 new messages