Hi !
I wrote the PR 64383 to add an option for using environment to store vault secrets. The PR was rejected, I would like to know more about why storing secrets in environment is discouraged.
If the variable is exported, it’s of course not completely safe, as it allows processes to read the password in /proc/$PID/environ… but it can be prevented with AppArmor/Selinux. Anyway, storing secrets in cleartext files as it is currently recommended is not safe either.
My idea was that with this feature, it would be possible to do :
read VAULT_PASSWORD
VAULT_PASSWORD=$VAULT_PASSWORD ansible-playbook … --vault-password-env “VAULT_PASSWORD”
Nothing stays in the environment, nor in shell history, nor in cleartext file…
Maybe the developpers fear that some users could do things like :
export VAULT_PASSWORD=“MYPASSWORD”
ansible-playbook …
which is of course a bad idea because the password is written in shell history…
bcoca who reviewed the PR says it’s achievable by using a vault script which reads the environment, this is true… but obviously more “hackish” : you and all those using the playbook must store the script, all must always use the same name for the the variable. and you have to store the variable in the environment, which is less safe than the behavior with “read VAULT_PASSWORD; VAULT_PASSWORD=$VAULT_PASSWORD ansible-playbook …”
Thanks !
GL