Hi!
Just don’t know where to post feature requests/suggestions, so I’ve decided to post it here.
How about additional key to ansible-playbook binary which will tell Ansible to delete vault password file right after starting playbook.
Here is the case (not sure if I’m the only one with such case):
I’m starting my playbook in Jenkins pipeline groovy code, so I’m using Jenkins credentials secret file to post vault string to ansible playbook but that leads to creating this file in workdir in plaintext for the whole ansible playbook runtime. So anyone, that have read acess to my job can just go to jenkins Workspaces tab right in UI and get my vault id. I’ve made ugly solution to run parallel tasks and remove the file after some timeout (dirty and ugly)^ so the code looks like this%
parallel “Running ansible script”: {
ansiblePlaybook playbook: “${playbook}”,
vaultCredentialsId: “${creds}”, - that takes Jenkins credentials secret file and puts it into workspace
installation: “${tool}”,
inventory: “${inventory}”,
extras: “${extras}”
}, “Cleanup”: {
sh “sleep 5 && rm -f vault*.password”
}
Off course I can also try to delete it with the first task of my playbook, but I come up with idea that maybe some additional key to ansible binary itself will be the most elegant solution for this, since in most cases you don’t need vault password file right after starting the playbook.