For a deployment, a script needs to be called, which either asks for password or accepts password from command line.
As there are many users using ansible from a central machine to deploy stuff there is a question about how to design it:
AFAIK there is no chance to pass an input to the shell module. Therefore the only possiility I see is to put the password as a variable into the vault.
The problem there is: when the playbook is called one sees the password on the ansible output (one sees the whole command with all parameters, including the password).
How would you design such deployment?
Thanks a lot
There’s been a proposal and a pull request to make the “no_log” keyword in Ansible, which hides output from remote syslog, also hide output and parameters from local callbacks (which would solve your display issue). We are likely to merge this soon.
As for being able to pass input into the shell module, this is not actually the case, thankfully!
shell: foo.sh < input.txt
And such is possible, as with other shell operators.
(You could also run an expect script, or wrap things in a script: call_program.sh script, and the text of the call_program.sh script wouldn’t be seen, but it’s true it can’t be vault encrypted).
Thanks a lot. I think that the ‘no_log’ option is a great idea.
So long I will stick with a combination of the expect script and the template module (so that i can paste a variable from the vault into the ‘expect’ script)