Michael,
That's pretty much exactly what I would want it to do. I currently do my
own poor man's vault by running a bash file which encrypts a folder where
all the lookup passwords are generated to. The vault as is isn't really
useful for me since all my passwords are generated per server. Is this not
a common thing? Would you have a different recommendation for how to manage
passwords in general?
On Thursday, February 20, 2014 8:27:41 AM UTC-5, Michael DeHaan wrote:
>
> Just a minor process note -- It's often troublesome to have a discussion
> about a feature on github because less people are there to read a ticket.
> I'd much prefer we discuss feature ideas here, for most major things,
> since that allows greater discussion, and search is also better.
>
> That all being said, the basics here is that vault is designed to encrypt
> and decrypt YAML data files -- of which since Ansible is data driven is
> mostly everything.
>
> By contrast, the password lookup plugin is a clever tool, but it's a hack
> and architecturally wrong for this solution, and it was not intended to
> keep files in version control.
>
> The "random password per server" approach works on writing little stub
> files text here and there and I can see it being possible for, if
> --ask-vault-pass was set, and I can see this approach being fiddly. We're
> unlikely to want to implement this though, because the random password
> generator bits are not designed to keep all the data in one file -- it was
> an interesting plugin, but probably not implemented the way you want.
>
> What you'd propose here I think is better served by keeping a file in a
> configurable location, like
>
> {{ lookup("password2", "password.yml", "mysql/" + inventory_hostname) }}
>
> Which would store a key "mysql__{{inventory_hostname}}" in a YAML file.
>
> Basically a rearchitected alternative to the password plugin.
>
> where it would write a random password into password.yml under some_key
> and then encrypt and decrypt as needed using --ask-vault-pass.
>
> This is going to be out of scope for 1.5, and we're going to want to move
> on rather than build this for you, but if someone wants to implement this
> to the above suggested spec, I think it would be pretty interesting and
> useful.
>
>
>
>
>
>
> On Wed, Feb 19, 2014 at 9:58 PM, James Tanner <tann...@gmail.com<javascript:>
> > wrote:
>
>> On 02/19/2014 02:01 PM, giulianob wrote:
>>
>> Will this work with lookup so if it generates a pass its stored in the
>> vault automatically?
>>
>> (I asked this in the official post but didn't see my comment.)
>>
>> On Wednesday, February 19, 2014 1:20:34 PM UTC-5, James Tanner wrote:
>>>
>>> We just merged a new feature called "Ansible Vault" to devel (1.5).
>>> Please read through Michael Dehaan's blog post about the tools for basic
>>> usage:
>>>
>>> http://blog.ansibleworks.com/2014/02/19/ansible-vault/
>>>
>>> Follow the typical bug reporting process for any issues you may find.
>>>
>>> Other notes:
>>>
>>> 1) The default encryption cipher is AES, but the framework is
>>> "pluggable" to encourage community contribution for other cipher methods.
>>>
>>> 2) All files used for a single playbook must be encrypted with the
>>> same password.
>>>
>>>
>>> Please test away!
>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ansible-proje...@googlegroups.com <javascript:>.
>> To post to this group, send email to ansible...@googlegroups.com<javascript:>
>> .
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>> There is no integration with lookup plugins at the moment. If you have a
>> specific workflow or a example in mind, file a feature request on github
>> and we can consider it for later releases.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ansible-proje...@googlegroups.com <javascript:>.
>> To post to this group, send email to ansible...@googlegroups.com<javascript:>
>> .
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
