Lookup vault in memory

Quentin_Aveno · November 20, 2019, 12:47pm

Hi,
I have a question about lookup and memory:
When I use a lookup with vault, is the pass is store in memory when I use it directly in a task or pass it through a variable in an inventory ? Is there a significant difference ?

Have a nice day.

Quentin_Aveno · November 20, 2019, 1:09pm

For more information :
I’m concerned about security issue in my company where the continous delivery is share between many teams. I would like to not store secret in memory or at least the shortest possible time. I supposed that if I use my lookup directly in task and not in a variable I was safer. Am I right ?

vbotka · November 20, 2019, 1:44pm

There is no difference because of "Lazy Evaluation" ("Ansible evaluates any
variables in playbook content at the last possible second."), I think. See
https://docs.ansible.com/ansible/latest/reference_appendices/glossary.html

(Is this hashi_vault plugin?)

Cheers,

-vlado

Quentin_Aveno · November 20, 2019, 1:54pm

Yes It is.
I mean if I don’t use it as a variable but directly in a task as a parameter.
As example:
Is there a difference between

shell: check.sh {{ lookup(‘hashi_vault’, ‘secret=secret1’) }}
And
shell: check.sh {{ password 1}}
Where password1 is defined in an inventory

It seems logical to me than the first one is safer and evaluate later

vbotka · November 20, 2019, 3:22pm

I can only assume that "password1 is defined in an inventory" means a
similar line can be found in an inventory

password1: "{{ lookup('hashi_vault', 'secret=secret1') }}"

(Otherwise the comparison does not make much sense).

I can only repeat that both arguments below will be decrypted at the same
time because of the "Lazy Evaluation" ("Ansible evaluates any variables in
playbook content at the last possible second.")

- shell: "check.sh {{ lookup('hashi_vault', 'secret=secret1') }}"
- shell: "check.sh {{ password1 }}"

Cheers,

-vlado

Quentin_Aveno · November 20, 2019, 3:45pm

Thanks vlado for your responses.

Yes, sorry for not being clear, password1 was defined in an inventory.

It's almost clear now.
Does it mean that if i use a variable from inventory twice It will be evaluate twice or the variable will be store in memory ? Same question for lookup directly in task.

By the way, have you any advice in order to not store vault secret in memory.

And sorry for bad english (plus I write from a phone)

Have a nice day and thanks once again)

vbotka · November 20, 2019, 6:00pm

Does it mean that if i use a variable from inventory twice It will be
evaluate twice or the variable will be store in memory ? Same question for
lookup directly in task.

It will be evaluated twice. In general the expansions "{{ }}" will be "lazy"
evaluated when referenced.

By the way, have you any advice in order to not store vault secret in memory.

As described, the value is not stored in memory for longer time than needed, I
think.

You're welcome. Cheers,

-vlado

Quentin_Aveno · November 21, 2019, 12:00pm

Ok, thank you very much for your explanation.
Have a nice day !

Topic		Replies	Views
Variables in lookup statement for vault Ansible Project	1	1	March 6, 2018
Ansilbe read all variable even they do not need for task (perfomance issue with lookup_plugins) Ansible Developer	9	0	September 21, 2016
ansible-vault encrypt_string and inventory files Ansible Project ansible-project	3	1	April 5, 2018
ansible vault and lookups module for password hashes Ansible Project	1	1	December 2, 2016
task to assign result of a lookup to a registered variable Ansible Project	2	7	September 14, 2020

Lookup vault in memory

Related topics