Inventory has a better failure mode though. If you forget to set the
executable bit on your inventory plugin, your playbook is almost certain to
fail. Even if it succeeds, you will probably notice nothing happened. If
you forget to set the executable bit on a vault password plugin, the plugin
On 9/17/20 3:52 PM, 'Luke Schlather' via Ansible Development wrote:
At the least, the overloading of --vault-password-file seems wrong.
There should be a separate option --vault-password-script. (Though
again, this seems like a very complicated way to avoid adding a
simpler feature that would
At the least, the overloading of --vault-password-file seems wrong. There
should be a separate option --vault-password-script. (Though again, this
seems like a very complicated way to avoid adding a simpler feature that
would be better and easier to use.)
On Thu, Sep 17, 2020 at 2:50 PM Luke
This is a really bad interface that IMO shouldn't even be there. It is
incredibly easy to misuse and seems really complicated feature which seems
to exist for the purpose of not adding a simple and easy-to-use feature.
On Thu, Sep 17, 2020 at 2:47 PM Matt Martz wrote:
> You have to make the
You have to make the script executable, otherwise it's just a random file
that is read.
If you make it executable, ansible will execute it, and take the password
from stdout of the script.
On Thu, Sep 17, 2020 at 4:46 PM 'Luke Schlather' via Ansible Development <
ansible-devel@googlegroups.com>
Wait, I think the advice in
https://github.com/ansible/ansible/issues/45214#issuecomment-502300660 is
flat-out wrong. Ansible doesn't evaluate the bash, it just uses the script
as the password. That is really dangerous to have that given out as "the
way to do it." People will think it's right and
Fully agree with you!
It’s a pity that this isn’t supported via environment variable.
Also in the linked issue it is very well argued why the “workaround” is way
more unsafe and violates more rules than the environment variable would.
*FLORIAN FLOIMAIR*
Software Development - IMS
It's a secure workaround - it is annoying though. And it adds complexity to
a very common use case.
On Tue, Sep 15, 2020 at 3:04 PM Matt Martz wrote:
> Follow the advice in
> https://github.com/ansible/ansible/issues/45214#issuecomment-502300660
>
> On Tue, Sep 15, 2020 at 4:45 PM 'Luke
Follow the advice in
https://github.com/ansible/ansible/issues/45214#issuecomment-502300660
On Tue, Sep 15, 2020 at 4:45 PM 'Luke Schlather' via Ansible Development <
ansible-devel@googlegroups.com> wrote:
> I'm trying to figure out what the best way to provide a vault password for
> a CI
I'm trying to figure out what the best way to provide a vault password for
a CI process is. My organization uses Azure Devops, where it is standard to
create a secret environment variable, and make that available to the agent
which runs my Ansible playbooks. This is also common to other CI
10 matches
Mail list logo