On Fri, Aug 1, 2014 at 6:37 AM, Michael DeHaan <[email protected]> wrote:
> There's a pull request for direct GPG support in vault as well, that we > need to evaluate > > https://github.com/ansible/ansible/pull/7174 > > "Luckily, the next major release of Ansible will include the ability for > vault_password_file to point at a script that will be run to get your > passphrase." > > FYI - I don't remember merging this one. If we didn't merge that yet, I'm > not opposed. Perhaps James did and I didn't notice, but there should be > instructions added in docs to reference how to use it before this is > complete. > > It may be a case of comparing the two submissions, can you please comment > on the above pull request? > > Thanks! > I'm sorry, I don't understand. What would you like me to comment on the above pull request for GPG vault file support? I don't have much to say about it, as I think this PR to use GPG for encrypting vault files is orthogonal to my script to use gpg-agent to store your vault passphrase. What I mean is that the PR you cited introduces a new vault encryption method, whereas my script will work with any vault encryption method that respects vault_password_file, including the default AES method and (apparently) this prospective GPG method. Of course, if you're actually invoking GPG, as in the above PR, then my script is probably not necessary as I expect GPG to use gpg-agent directly. (Though I can't tell if that's working quite right yet in the cited PR.) Dale > On Fri, Aug 1, 2014 at 1:48 AM, Dale <[email protected]> wrote: > >> Hi Ansible users, >> >> I've been trying to use vault lately but I got tired of having to enter >> my passphrase every time I ran ansible-playbook. I didn't want to put my >> passphrase into a file on disk, either. Luckily, the next major release of >> Ansible will include the ability for vault_password_file to point at a >> script that will be run to get your passphrase.[1] Using this new >> functionality I wrote a tiny vault_password_file script that reads your >> passphrase via gpg-agent. gpg-agent will then cache that passphrase for >> you (by default) so you won't have to enter it every time you run an >> Ansible command. >> >> I thought others might find this useful. If so, the script can be found >> at: >> >> https://github.com/dsedivec/ansible-plugins/blob/master/vault_from_gpg_agent.py >> >> To reiterate, as of right now I believe this will only work with Ansible >> from the Git devel branch. >> >> If an Ansible maintainer thinks this has a place in some more official >> repository somewhere I'm happy to make a pull request, just give me a hint >> where it should go. >> >> Regards, >> Dale >> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEj9N4LFD-eiJ3DWCVXEY45crsyVhczqOjt-fR%3DLYV1tiQ4NGw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
