Hi,
Thanks for getting vault into trunk!
I have a few questions.
-
If we have multiple users that need to edit an encrypted vars file, is there any way to avoid distributing a shared key amongst all them?
Is there any kind of LDAP plugin envisioned for the future that would allow --ask-vault-pass to have acls without a separate key distribution solution? -
Is there a way to separate out the ability to edit a sensitive file vs run a playbook that depends on it?
Let me give a specific use-case example of what we might like to accomplish assuming we have to distribute keys:
a. A team leader creates a vars file with sensitive info. Only she can edit the file.
b. Other team members are given the vault key to add to a secure keys directory or add to the commandline to enable them to run the playbook using the vaulted file. They cannot use the key to open/edit the sensitive vars file. -
Is there/will-there-be any way to handle nested security levels?
Suppose you had an openstack deployment and wanted a whole team to be able to access that cloud with an openstack_creds.yml file. But only the sysadmin should be able to run a playbook agains a host vm in that cloud. The restriction of only one key per ansible-playbook command would seem to prevent this:
ansible-playbook - i hosts site.yml --ask-vault-pass key-to-play-in-cloud
ansible-playbook -i hosts site.yml --ask-vault-pass key-to-administer-vm