Get sudo/vault pass from stdin

2,968 views
Skip to first unread message

Nate Coraor

unread,
Sep 10, 2014, 10:00:12 AM9/10/14
to ansibl...@googlegroups.com
Moving the discussion over from Twitter: https://twitter.com/natefoo/status/509540916932014080

I have my vault passwords in pass (http://www.passwordstore.org/), so to run a playbook that requires vault decryption, I'll do something like:

% pass -c ansible/vault/usegalaxy
Copied ansible/vault/usegalaxy to clipboard. Will clear in 45 seconds.
% ansible-playbook -i stage/inventory galaxy.yml --ask-vault-pass
Vault password:

At the prompt, paste, return, and the playbook runs. But if I'm going to run the playbook a lot, this process becomes tedious. What I'd like to be able to do is something like:

% pass ansible/vault/usegalaxy | ansible-playbook -i stage/inventory galaxy.yml --vault-password-file=/dev/stdin

This doesn't work because the --vault-password-file code expects the named file to be a real file, rather than a pipe.

Instead of the --vault-password-stdin option as I proposed on Twitter, would a PR be accepted to make --vault-password-file handle stdin as I was originally trying? I'd propose accepting any of ('/dev/stdin', 'stdin', '-') to mean the same.

Thanks,
--nate

Matt Martz

unread,
Sep 11, 2014, 1:19:23 PM9/11/14
to Nate Coraor, ansibl...@googlegroups.com
Why not just create a script to be used with --vault-password-file that does something like:

#!/usr/bin/env python
import sys
sys.stdout.write(sys.stdin.read().strip())

This should handle what you are attempting.


--
You received this message because you are subscribed to the Google Groups "Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-deve...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Matt Martz
ma...@sivel.net
http://sivel.net/

Nate Coraor

unread,
Sep 11, 2014, 2:14:35 PM9/11/14
to Matt Martz, ansibl...@googlegroups.com
Hi Matt,

Thanks for the idea, I actually already have a handy utility on my system that does what your script does. ;)

  % pass ansible/vault/usegalaxy | ansible-playbook -i stage/inventory galaxy.yml --vault-password-file=/bin/cat

I didn't realize that --vault-password-file could be a script (although the call to `is_executable` in the traceback should have tipped me off...).

--nate

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Development" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-devel/1vFc3y6Ogto/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-deve...@googlegroups.com.

Steven Wolfe

unread,
Dec 3, 2015, 12:48:24 PM12/3/15
to Ansible Development, ma...@sivel.net
Thanks for the posts.  This discussion was very helpful.  Solved an issue I was having.
Reply all
Reply to author
Forward
0 new messages