using Ansible-Vault vars to run local bash scripts
196 views
Skip to first unread message
Nicolas G
Jan 15, 2015, 7:52:36 AM1/15/15
to ansible...@googlegroups.com
Hi,
I have a bash script that i would like to run locally using the Ansible shell module , the problem is that want to use some encrypted variables from Ansible-Vault in that bash script but I think for security reasons ansible-vault variables are not rendered from the shell module..
Is there a better approach for what I want ?
Please advise..
Regards,
N.
Tom Bamford
Jan 15, 2015, 8:39:40 AM1/15/15
to ansible...@googlegroups.com
Hi Nicolas
Just a couple of suggestions that spring to mind:
You could pass in the vars as environment variables, although these do unfortunately get exposed in syslog and console output.
Alternatively you could maybe write them to files on the target host (be it localhost or another host) with tight permissions and remove afterwards?
Regards
Tom
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8b0ad711-484c-4324-b74a-5661ec36acfd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Nicolas G.
Jan 15, 2015, 10:31:23 AM1/15/15
to ansible...@googlegroups.com
Thanks for the reply Tom but both of your suggestions doesn't really help with the security concerns. It would be simpler to just hardcode the values on the script this way.
The approach I'm looking is to use the ansible-vault variables on the fly with the script and after the execution step to not leave any traces.
Thanks again,
N.
--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/WgulzWnrnWY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAAnNz0NJgG9Pyn8hh_aB7CEOcwRyXJOyc23nu28MgteASS5nwg%40mail.gmail.com.
Brian Coca
Jan 15, 2015, 10:36:12 AM1/15/15
to ansible...@googlegroups.com
You can have a template action that generates the script with the
vaulted info, also you can use no_log to prevent info from appearing
in the logs.
--
Brian Coca
vaulted info, also you can use no_log to prevent info from appearing
in the logs.
--
Brian Coca
Tom Bamford
Jan 15, 2015, 3:04:01 PM1/15/15
to ansible...@googlegroups.com
Hi Brian
As per a recent post of mine, no_log does not prevent the command arguments nor environment variables from showing up in log output despite documentation alluding to this.
Regards
Tom
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8nFdJhruOzfaf%2BoFteqTAhquTG87Co-q74G6rf241hs2Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Tom Bamford
Jan 15, 2015, 3:05:34 PM1/15/15
to ansible...@googlegroups.com
Hi Nicolas
I'm not sure why depositing the secrets into a file alongside the script would be any less secure than hardcoding them in the script?
Tom
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CALpo6LVi%3D8W7zGAL%2B7hXrBX9nwxpVt0TLQ42EuaHgMJVPHAWxg%40mail.gmail.com.
Brian Coca
Jan 15, 2015, 3:09:49 PM1/15/15
to ansible...@googlegroups.com
Tom, environment variables should not be covered by no_log but command
arguments should.
--
Brian Coca
arguments should.
--
Brian Coca
Tom Bamford
Jan 15, 2015, 3:13:57 PM1/15/15
to ansible...@googlegroups.com
I am using 1.8.2 which appears to be exposing the entire command, args and all, when no_log is set to true. See https://groups.google.com/d/msg/ansible-project/ypVNNST6Gb8/n7ER3RY200AJ
This is probably a regression?
Regards
Tom
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8%3Dq1bzQ08zwNUHesgtNxjYPHjZMrFMiOE2H96xcnCrjnQ%40mail.gmail.com.
Nicolas G.
Jan 18, 2015, 6:11:42 PM1/18/15
to ansible...@googlegroups.com
That's what I wanted to say Tom, depositing the secrets into a file alongside the script is the same thing as having them hardcoded in the script.. which on both cases I want to avoid..
Regards,
N.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAAnNz0Nk7QxZhN0O9zwX9uGP19P1zuFb%2BKA1oQd-hBtrsATAfA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages