This is a really bad interface that IMO shouldn't even be there. It is incredibly easy to misuse and seems really complicated feature which seems to exist for the purpose of not adding a simple and easy-to-use feature.
On Thu, Sep 17, 2020 at 2:47 PM Matt Martz <m...@sivel.net> wrote: > You have to make the script executable, otherwise it's just a random file > that is read. > > If you make it executable, ansible will execute it, and take the password > from stdout of the script. > > On Thu, Sep 17, 2020 at 4:46 PM 'Luke Schlather' via Ansible Development < > ansible-devel@googlegroups.com> wrote: > >> Wait, I think the advice in >> https://github.com/ansible/ansible/issues/45214#issuecomment-502300660 >> is flat-out wrong. Ansible doesn't evaluate the bash, it just uses the >> script as the password. That is really dangerous to have that given out as >> "the way to do it." People will think it's right and end up basically using >> no password. >> >> There is an obvious workaround that involves writing the password to a >> temp file, but again, this makes the entire system less secure. >> >> On Wed, Sep 16, 2020 at 7:04 AM f.floimai...@gmail.com < >> f.floimair.comm...@gmail.com> wrote: >> >>> Fully agree with you! >>> >>> >>> >>> It’s a pity that this isn’t supported via environment variable. >>> >>> Also in the linked issue it is very well argued why the “workaround” is >>> way more unsafe and violates more rules than the environment variable would. >>> >>> >>> >>> *FLORIAN FLOIMAIR* >>> Software Development - IMS >>> >>> Commend International GmbH >>> Saalachstrasse 51 >>> 5020 Salzburg, Austria >>> >>> *commend.com <http://commend.com>* >>> >>> LG Salzburg / FN 178618z >>> >>> luke.sc...@strivr.com schrieb am Mittwoch, 16. September 2020 um >>> 00:32:32 UTC+2: >>> >>>> It's a secure workaround - it is annoying though. And it adds >>>> complexity to a very common use case. >>>> >>>> On Tue, Sep 15, 2020 at 3:04 PM Matt Martz <ma...@sivel.net> wrote: >>>> >>>>> Follow the advice in >>>>> https://github.com/ansible/ansible/issues/45214#issuecomment-502300660 >>>>> >>>>> On Tue, Sep 15, 2020 at 4:45 PM 'Luke Schlather' via Ansible >>>>> Development <ansibl...@googlegroups.com> wrote: >>>>> >>>>>> I'm trying to figure out what the best way to provide a vault >>>>>> password for a CI process is. My organization uses Azure Devops, where it >>>>>> is standard to create a secret environment variable, and make that >>>>>> available to the agent which runs my Ansible playbooks. This is also >>>>>> common >>>>>> to other CI systems I have used such as Gitlab, Bamboo, Jenkins, and >>>>>> Github >>>>>> Actions. >>>>>> >>>>>> I found this issue <https://github.com/ansible/ansible/issues/45214> >>>>>> in which someone claimed that it was insecure to store secrets in >>>>>> environment variables and used that as justification for closing the >>>>>> ticket >>>>>> - however in the typical access pattern this makes my CI pipeline less >>>>>> secure, since I still provide the secret as an environment variable - but >>>>>> now Ansible also forces me to write the secret to disk, introducing >>>>>> another >>>>>> set of vulnerabilities to my application (especially since the agent may >>>>>> be >>>>>> running on shared hardware.) >>>>>> >>>>>> Environment variables seem like the industry-standard mechanism in CI >>>>>> for sharing secrets with an agent process to run things like Ansible >>>>>> playbooks. It's perplexing that Ansible has chosen not to support this. >>>>>> There is a workaround, but it's very frustrating that the workaround >>>>>> actually decreases the security of the system relative to the >>>>>> straightforward solution of Ansible simply expecting a standard >>>>>> environment >>>>>> variable for the password. I'm rather perplexed and frustrated by the >>>>>> decision to close https://github.com/ansible/ansible/issues/45214 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Ansible Development" group. >>>>>> >>>>>> >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to ansible-deve...@googlegroups.com. >>>>>> >>>>>> >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/ansible-devel/5048eeed-24a6-49ab-aae0-681523a42b27n%40googlegroups.com >>>>>> <https://groups.google.com/d/msgid/ansible-devel/5048eeed-24a6-49ab-aae0-681523a42b27n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>>> >>>>>> -- >>>>> Matt Martz >>>>> @sivel >>>>> sivel.net >>>>> >>>> >>>> >>>> -- >>>> Luke Schlather >>>> Devops and Deployment Engineer >>>> [image: STRIVR] <http://www.strivr.com/> >>>> >>>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "Ansible Development" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/ansible-devel/JO9WikQpEmc/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> ansible-devel+unsubscr...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-devel/b2edd6da-29e6-4e85-992d-e11d6f4cc9b0n%40googlegroups.com >>> <https://groups.google.com/d/msgid/ansible-devel/b2edd6da-29e6-4e85-992d-e11d6f4cc9b0n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Luke Schlather >> Devops and Deployment Engineer >> [image: STRIVR] <http://www.strivr.com/> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Development" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ansible-devel+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-devel/CAPq7tpPeheEddte44RJNOyBDyNmmEMGdXvQJbbxjgf5E84k6jg%40mail.gmail.com >> <https://groups.google.com/d/msgid/ansible-devel/CAPq7tpPeheEddte44RJNOyBDyNmmEMGdXvQJbbxjgf5E84k6jg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > Matt Martz > @sivel > sivel.net > -- Luke Schlather Devops and Deployment Engineer [image: STRIVR] <http://www.strivr.com/> -- You received this message because you are subscribed to the Google Groups "Ansible Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-devel/CAPq7tpNy0kj38m5cSu5En%3DfaRgS2UqGWbSnubB5ZsmXPCzmiSQ%40mail.gmail.com.
