Get sudo/vault pass from stdin

Moving the discussion over from Twitter: https://twitter.com/natefoo/status/509540916932014080

I have my vault passwords in pass (http://www.passwordstore.org/), so to run a playbook that requires vault decryption, I’ll do something like:

% pass -c ansible/vault/usegalaxy Copied ansible/vault/usegalaxy to clipboard. Will clear in 45 seconds. % ansible-playbook -i stage/inventory galaxy.yml --ask-vault-pass Vault password:

At the prompt, paste, return, and the playbook runs. But if I’m going to run the playbook a lot, this process becomes tedious. What I’d like to be able to do is something like:

`
% pass ansible/vault/usegalaxy | ansible-playbook -i stage/inventory galaxy.yml --vault-password-file=/dev/stdin

`

This doesn’t work because the --vault-password-file code expects the named file to be a real file, rather than a pipe.

Instead of the --vault-password-stdin option as I proposed on Twitter, would a PR be accepted to make --vault-password-file handle stdin as I was originally trying? I’d propose accepting any of (‘/dev/stdin’, ‘stdin’, ‘-’) to mean the same.

Thanks,
–nate

Why not just create a script to be used with --vault-password-file that does something like:

#!/usr/bin/env python
import sys
sys.stdout.write(sys.stdin.read().strip())

This should handle what you are attempting.

Hi Matt,

Thanks for the idea, I actually already have a handy utility on my system that does what your script does.

% pass ansible/vault/usegalaxy | ansible-playbook -i stage/inventory galaxy.yml --vault-password-file=/bin/cat

I didn’t realize that --vault-password-file could be a script (although the call to is_executable in the traceback should have tipped me off…).

–nate

Thanks for the posts. This discussion was very helpful. Solved an issue I was having.