specify --vault-password-file in ansible.cfg file
3,861 views
Skip to first unread message
Jason Harris
Sep 16, 2014, 5:41:41 AM9/16/14
to ansible...@googlegroups.com
Hi All,
It would be handy to be able to specify a default vault-password-file in the ansible configuration file. That way when we are operating within the ansible role we can easily encrypt, edit, and decrypt files without having to always add:
--vault-password-file ~/.vault_pass.txt
We can of course create a bash alias for this but it doesn't vary when we are in different ansible projects...
Also, it would be nice to have a ansible-vault cat | more | less etc to easily look at the file contents.
And in fact it might be nice to be able to have several passwords in vault_pass, which are tried in succession. Ie we might have vault_pass.txt be:
general_pass : aYLNOrPGA9qEYDxs
aws_deploy_keys: BbqxyxGBqjSC3kVt
super_secrete_key: KeqZqnXvCHQJ7hDx
That way we could handle out say the general_pass to some people working on general things, and say give out the aws deploy keys to a smaller set of people, and finally only a few people would know the super_secret_keys.
Thanks,
Jason
Michael DeHaan
Sep 16, 2014, 8:31:14 AM9/16/14
to ansible...@googlegroups.com
It seems that as this file is frequently world readable, and probably should be for completeness of knowing what settings are, that putting a password in this file is not a good idea.
Also, there's an ansible-vault view to easily see file contents that does open a pager these days. That might only be on the devel-branch as I don't really remember.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/888da30c-5c70-4eb5-8069-3a307f6dec30%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Matt Martz
Sep 16, 2014, 8:36:29 AM9/16/14
to ansible...@googlegroups.com
There is indeed a way to specify this in the ansible.cfg file:
[defaults]
vault_password_file = /path/to/password_file
Additionally of note, is that the --vault-password-file can also be a script, and if marked as executable the script will be executed and can respond with the password. Then you can store your password in something like keychain on Mac and have the script retrieve it. (I've submitted a PR to show how to do this at https://github.com/ansible/ansible/pull/8561)
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/888da30c-5c70-4eb5-8069-3a307f6dec30%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael DeHaan
Sep 16, 2014, 11:12:36 AM9/16/14
to ansible...@googlegroups.com
Sorry, reading too fast, I thought I read "password" not file.
I should mention this is an undocumented option, which we always strive to correct.
This should be listed here:
and also in examples/ansible.cfg
Which gets shipped on RPM distros as the stock config file.
Please file a bug or something, or a pull request -- if you would like -- and we'll take care of it.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAD8N0v-OMDbs1yUEQzr5zGowQPM%2B-thVwpea55FGoBhjmQJwYw%40mail.gmail.com.
Michael DeHaan
Sep 16, 2014, 11:22:00 AM9/16/14
to ansible...@googlegroups.com
Excellent, thank you!
(Bonus points for adding force_color at the same time.... though that may be me trying to pull a Tom Sawyer type option about how fun it is to add option documentation!)
(Bonus points for adding force_color at the same time.... though that may be me trying to pull a Tom Sawyer type option about how fun it is to add option documentation!)
On Tue, Sep 16, 2014 at 11:19 AM, Matt Martz <ma...@sivel.net> wrote:
Since it is mostly my fault that it is not documented, I'll submit a PR to rectify the omission.--Matt Martz@sivel
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyXjKS47c5yYb6fnkm2-%3D%3DOV7LoPUehZObmkQ7HwgnshA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAD8N0v-Ha%2B5%3DqBHaYAzuY3fdeAi1bxwWUVqhrWSn-OHDsae9KA%40mail.gmail.com.
Matt Martz
Sep 16, 2014, 11:19:58 AM9/16/14
to ansible...@googlegroups.com
Since it is mostly my fault that it is not documented, I'll submit a PR to rectify the omission.
--
Matt Martz@sivel
On Tue, Sep 16, 2014 at 10:12 AM, Michael DeHaan <mic...@ansible.com> wrote:
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyXjKS47c5yYb6fnkm2-%3D%3DOV7LoPUehZObmkQ7HwgnshA%40mail.gmail.com.
Jason Harris
Sep 16, 2014, 5:19:34 PM9/16/14
to ansible...@googlegroups.com
That is great! Thanks! The keyring solution is a really nice touch!
Jason Harris
Sep 16, 2014, 5:22:49 PM9/16/14
to ansible...@googlegroups.com
On Tuesday, September 16, 2014 2:31:14 PM UTC+2, Michael DeHaan wrote:
Also, there's an ansible-vault view to easily see file contents that does open a pager these days. That might only be on the devel-branch as I don't really remember.
Ahh, nice to know this is coming. Thanks!
Reply all
Reply to author
Forward
0 new messages