Providing password for script
161 views
Skip to first unread message
ProfHase
Jul 30, 2014, 8:55:29 AM7/30/14
to ansible...@googlegroups.com
For a deployment, a script needs to be called, which either asks for password or accepts password from command line.
As there are many users using ansible from a central machine to deploy stuff there is a question about how to design it:
AFAIK there is no chance to pass an input to the shell module. Therefore the only possiility I see is to put the password as a variable into the vault.
The problem there is: when the playbook is called one sees the password on the ansible output (one sees the whole command with all parameters, including the password).
How would you design such deployment?
Thanks a lot
As there are many users using ansible from a central machine to deploy stuff there is a question about how to design it:
AFAIK there is no chance to pass an input to the shell module. Therefore the only possiility I see is to put the password as a variable into the vault.
The problem there is: when the playbook is called one sees the password on the ansible output (one sees the whole command with all parameters, including the password).
How would you design such deployment?
Thanks a lot
Michael DeHaan
Jul 30, 2014, 9:02:48 AM7/30/14
to ansible...@googlegroups.com
There's been a proposal and a pull request to make the "no_log" keyword in Ansible, which hides output from remote syslog, also hide output and parameters from local callbacks (which would solve your display issue). We are likely to merge this soon.
- shell: foo
no_log: True
As for being able to pass input into the shell module, this is not actually the case, thankfully!
shell: foo.sh < input.txt
And such is possible, as with other shell operators.
(You could also run an expect script, or wrap things in a script: call_program.sh script, and the text of the call_program.sh script wouldn't be seen, but it's true it can't be vault encrypted).
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1f197842-4f0b-417e-8764-e9bc4d5809a6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
profh...@gmail.com
Jul 30, 2014, 9:17:11 AM7/30/14
to ansible...@googlegroups.com
Thanks a lot. I think that the 'no_log' option is a great idea.
So long I will stick with a combination of the expect script and the template module (so that i can paste a variable from the vault into the 'expect' script)
So long I will stick with a combination of the expect script and the template module (so that i can paste a variable from the vault into the 'expect' script)
--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/XEQ62cSAi7I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgxQxvU4%3DE3oCsM8TJp6t%3DAAZG0iPi95wRuo87YJHZNc%2BA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages