Inject vault password with plugin

[FERREIRA CHRISTOPHE]

Hello it's possible to inject vault password with custom plugin vars or action ? I would like put password in vault hashicorp and i would't put script in host because is executable by user

I have try loader.set_vault_secrets(vault_secrets) but not work

[Dick Visser]

Hi, im not entirely sure what you mean but you may want to look at 

https://docs.ansible.com/ansible/latest/plugins/lookup/hashi_vault.html

On Sun, 24 May 2020 at 13:54, FERREIRA CHRISTOPHE <christophean...@gmail.com> wrote:

Hello it's possible to inject vault password with custom plugin vars or action ? I would like put password in vault hashicorp and i would't put script in host because is executable by user

I have try loader.set_vault_secrets(vault_secrets) but not work

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3db35a44-2964-4ae4-8953-1896154597db%40googlegroups.com.

--

Sent from a mobile device - please excuse the brevity, spelling and punctuation.

[FERREIRA CHRISTOPHE]

Hello no it's ansible vault password , i thinks can't use lookup for this

Only option i know is ask-vault-pass environment vars and vault password file

[Kai Stian Olstad]

On Sun, May 24, 2020 at 05:27:00PM -0700, FERREIRA CHRISTOPHE wrote:
> Only option i know is ask-vault-pass environment vars and vault password file

And scripts
https://github.com/ansible/ansible/blob/stable-2.9/contrib/vault/

--
Kai Stian Olstad

[david....@estafet.com]

Hi,

I have hit the same issue. It would be really nice to be able to inject an 'ansible vault' password during a play. 

Whilst I know this can be provided on the command line, this ultimately means writing a wrapper script to obtain the secret and then provide it on the command line to ansible.

The option of providing a script (or executable) as the vault password does not help either, as parameters cannot be provided to the script to elicit the desired secret, leaving the user to have to generate a script file from a template in order to be able to feed in the specifics about the secret required.

The 'include_vars' task and 'lookup' function recognise that a file is an Ansible Vault and try to decrypt it. This means that there is opportunity in a playbook to insert/inject the secret to unlock the file. This secret could be obtained from any secret management system immediately enabling integration within Ansible from that system.

I have looked through the code and may come back to it in the coming weeks to see if I could hit on an answer but hoping that someone who knows what they doing can respond/take a look.

[Vladimir Botka]

On Tue, 16 Mar 2021 17:17:44 -0700 (PDT)
"david....@estafet.com" <david....@estafet.com> wrote:

> ... inject an 'ansible vault' password during a play.

FWIW, below is the scenario how to put the vault password into a file
only when you need it. Given the vault password is stored in
*passwordstore*, create two templates, e.g.

shell> cat dummy_vault_passwd.j2
dummy_vault_passwd

shell> cat my_vault_passwd.j2
{{ lookup('passwordstore', 'vault/admin') }}

and configure *vault_password_file*

shell> grep vault ansible.cfg
vault_password_file = $PWD/my_vault_passwd

Create "dummy" file $PWD/my_vault_passwd

shell> cat my_vault_passwd
dummy_vault_passwd

Then the playbook below put the vault password into the file only in
the section when it is needed

- hosts: localhost
tasks:
- template:
dest: "{{ playbook_dir }}/my_vault_passwd"
src: my_vault_passwd.j2
mode: "0600"
- include_vars: vault.yml
- template:
dest: "{{ playbook_dir }}/my_vault_passwd"
src: dummy_vault_passwd.j2
mode: "0600"
--
Vladimir Botka