I’ve been trying to use vault lately but I got tired of having to enter my passphrase every time I ran ansible-playbook. I didn’t want to put my passphrase into a file on disk, either. Luckily, the next major release of Ansible will include the ability for vault_password_file to point at a script that will be run to get your passphrase.[1] Using this new functionality I wrote a tiny vault_password_file script that reads your passphrase via gpg-agent. gpg-agent will then cache that passphrase for you (by default) so you won’t have to enter it every time you run an Ansible command.
To reiterate, as of right now I believe this will only work with Ansible from the Git devel branch.
If an Ansible maintainer thinks this has a place in some more official repository somewhere I’m happy to make a pull request, just give me a hint where it should go.
“Luckily, the next major release of Ansible will include the ability for vault_password_file to point at a script that will be run to get your passphrase.”
FYI - I don’t remember merging this one. If we didn’t merge that yet, I’m not opposed. Perhaps James did and I didn’t notice, but there should be instructions added in docs to reference how to use it before this is complete.
It may be a case of comparing the two submissions, can you please comment on the above pull request?
"Luckily, the next major release of Ansible will include the ability for
vault_password_file to point at a script that will be run to get your
passphrase."
FYI - I don't remember merging this one. If we didn't merge that yet, I'm
not opposed. Perhaps James did and I didn't notice, but there should be
instructions added in docs to reference how to use it before this is
complete.
It may be a case of comparing the two submissions, can you please comment
on the above pull request?
Thanks!
I'm sorry, I don't understand. What would you like me to comment on the
above pull request for GPG vault file support? I don't have much to say
about it, as I think this PR to use GPG for encrypting vault files is
orthogonal to my script to use gpg-agent to store your vault passphrase.
What I mean is that the PR you cited introduces a new vault encryption
method, whereas my script will work with any vault encryption method that
respects vault_password_file, including the default AES method and
(apparently) this prospective GPG method.
Of course, if you're actually invoking GPG, as in the above PR, then my
script is probably not necessary as I expect GPG to use gpg-agent directly.
(Though I can't tell if that's working quite right yet in the cited PR.)
I looked into using ssh-agent first. It *might* be possible, but ssh-agent
is really not designed for this purpose. Check out the protocol
description for ssh-agent[1]: It really expects to be given asymmetric key
data, not passphrases, and it expects to perform challenges/signatures, not
to hand back the data that you load into it. You might be able to trick it
into storing your passphrase as part of public key parameters and then
retrieve it with a "request identities" message, but I generally have a bad
feeling about that working now and in the future.
Contrast with gpg-agent which specifically includes the ability to store
and retrieve passphrases.
(FWIW I think there is some way to use gpg-agent as a replacement for
ssh-agent.[2] I've never tried it.)
