Hi,
I have a bash script that i would like to run locally using the Ansible shell module , the problem is that want to use some encrypted variables from Ansible-Vault in that bash script but I think for security reasons ansible-vault variables are not rendered from the shell module…
Is there a better approach for what I want ?
Please advise…
Regards,
N.
Hi Nicolas
Just a couple of suggestions that spring to mind:
You could pass in the vars as environment variables, although these do unfortunately get exposed in syslog and console output.
Alternatively you could maybe write them to files on the target host (be it localhost or another host) with tight permissions and remove afterwards?
Regards
Tom
Thanks for the reply Tom but both of your suggestions doesn’t really help with the security concerns. It would be simpler to just hardcode the values on the script this way.
The approach I’m looking is to use the ansible-vault variables on the fly with the script and after the execution step to not leave any traces.
Thanks again,
N.
You can have a template action that generates the script with the
vaulted info, also you can use no_log to prevent info from appearing
in the logs.
Hi Brian
As per a recent post of mine, no_log does not prevent the command arguments nor environment variables from showing up in log output despite documentation alluding to this.
Regards
Tom
Hi Nicolas
I’m not sure why depositing the secrets into a file alongside the script would be any less secure than hardcoding them in the script?
Tom
Tom, environment variables should not be covered by no_log but command
arguments should.
I am using 1.8.2 which appears to be exposing the entire command, args and all, when no_log is set to true. See https://groups.google.com/d/msg/ansible-project/ypVNNST6Gb8/n7ER3RY200AJ
This is probably a regression?
Regards
Tom
That’s what I wanted to say Tom, depositing the secrets into a file alongside the script is the same thing as having them hardcoded in the script… which on both cases I want to avoid…
Regards,
N.