Hi !

I wrote the PR 64383 <https://github.com/ansible/ansible/pull/64383> to add 
an option for using environment to store vault secrets. The PR was 
rejected, I would like to know more about why storing secrets in 
environment is discouraged. 

If the variable is exported, it's of course not completely safe, as it 
allows processes to read the password in */proc/$PID/environ*... but it can 
be prevented with AppArmor/Selinux. Anyway, storing secrets in cleartext 
files as it is currently recommended is not safe either.
My idea was that with this feature, it would be possible to do :

VAULT_PASSWORD=$VAULT_PASSWORD ansible-playbook ... --vault-password-env 

Nothing stays in the environment, nor in shell history, nor in cleartext 

Maybe the developpers fear that some users could do things like :
ansible-playbook ...

which is of course a bad idea because the password is written in shell 

bcoca who reviewed the PR says it's achievable by using a vault script 
which reads the environment, this is true... but obviously more "hackish" : 
you and all those using the playbook must store the script, all must always 
use the same name for the the variable. and you have to store the variable 
in the environment, which is less safe than the behavior with "read 

Thanks !

You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 

Reply via email to