Hey,
I dont understand how ansible vault is safe if i want to use in a script i need to give ansible
the file where the password is saved in plain text… so i dont get it
i do get it being safe if i do a prompts for the password with --ask-vault-pass
but when i point to ansible using --vault-password-file or export global variable with pass it is saved on the system\file as plain text
what am i missing?
Thanks!
Hey,
I dont understand how ansible vault is safe if i want to use in a script i need to give ansible
the file where the password is saved in plain text.. so i dont get iti do get it being safe if i do a prompts for the password with --ask-vault-pass
but when i point to ansible using --vault-password-file or export global variable with pass it is saved on the system\file as plain textwhat am i missing?
You can use a GPG encrpyted password file with a wrapper script.
Regards
Racke
I have tried using the gpg script works amazing BUT - the gpg file askes randomly the password again and again so i cannot really relay on that.
i used like this :
gpg-wrapper.sh -
#!/bin/sh
VAULT_PW_FILENAME=“/base/vaults/vault.gpg”
gpg --quiet --batch --use-agent --decrypt $VAULT_PW_FILENAME
ansible.cfg -
vault_password_file = /base/vaults/gpg-wrapper.sh
encrypted like this:
gpg --quiet --batch --use-agent --decrypt vault
ב-יום שלישי, 22 במרץ 2022 בשעה 13:16:01 UTC+2, ra...@linuxia.de כתב/ה:
sorry i encrypted like this:
gpg -c vault
ב-יום ראשון, 27 במרץ 2022 בשעה 17:17:13 UTC+3, R Batchen כתב/ה:
An option would be to use gpg-agent. Depending on your setup that
might automagically unlock when you sign in to the computer you use to
run ansible playbooks.
For example I know that on macOS you can store the gpg password in the
OS' keychain.
I work on ubuntu host and the ansible playbooks run on docker container with ubuntu
ill try to look into gpg agent for docker container - thanks!
ב-יום ראשון, 27 במרץ 2022 בשעה 19:56:24 UTC+3, dick....@geant.org כתב/ה: