An option would be to use gpg-agent. Depending on your setup that might automagically unlock when you sign in to the computer you use to run ansible playbooks. For example I know that on macOS you can store the gpg password in the OS' keychain.
On Sun, 27 Mar 2022 at 16:17, R Batchen <[email protected]> wrote: > > I have tried using the gpg script works amazing BUT - the gpg file askes > randomly the password again and again so i cannot really relay on that. > i used like this : > > gpg-wrapper.sh - > #!/bin/sh > VAULT_PW_FILENAME="/base/vaults/vault.gpg" > gpg --quiet --batch --use-agent --decrypt $VAULT_PW_FILENAME > > ansible.cfg - > vault_password_file = /base/vaults/gpg-wrapper.sh > > > encrypted like this: > gpg --quiet --batch --use-agent --decrypt vault > > > ב-יום שלישי, 22 במרץ 2022 בשעה 13:16:01 UTC+2, [email protected] כתב/ה: >> >> On 22/03/2022 12:05, R Batchen wrote: >> > Hey, >> > I dont understand how ansible vault is safe if i want to use in a script >> > i need to give ansible >> > the file where the password is saved in plain text.. so i dont get it >> > >> > i do get it being safe if i do a prompts for the password with >> > --ask-vault-pass >> > but when i point to ansible using --vault-password-file or export global >> > variable with pass it is saved on the system\file as plain text >> > >> > what am i missing? >> >> You can use a GPG encrpyted password file with a wrapper script. >> >> Regards >> Racke >> >> > >> > Thanks! >> > >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "Ansible Project" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected] >> > <mailto:[email protected]>. >> > To view this discussion on the web visit >> > https://groups.google.com/d/msgid/ansible-project/4ae3f1e6-f4c0-4214-b0a4-d2c5208dcfd6n%40googlegroups.com >> > >> > <https://groups.google.com/d/msgid/ansible-project/4ae3f1e6-f4c0-4214-b0a4-d2c5208dcfd6n%40googlegroups.com?utm_medium=email&utm_source=footer>. >> >> >> -- >> Automation expert - Ansible and friends >> Linux administrator & Debian maintainer >> Perl Dancer & conference hopper >> > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/da0335a2-13be-4d56-b4e6-0eef2f0f9872n%40googlegroups.com. -- Dick Visser Senior Trust & Identity Infrastructure Architect GÉANT -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAL8fbwOm%3DyXG%3DmR8zL7xu7NVzCDEWpJYB1cN6ixfczTDiHVy0w%40mail.gmail.com.
