Hi, I have hit the same issue. It would be really nice to be able to inject an 'ansible vault' password during a play. Whilst I know this can be provided on the command line, this ultimately means writing a wrapper script to obtain the secret and then provide it on the command line to ansible. The option of providing a script (or executable) as the vault password does not help either, as parameters cannot be provided to the script to elicit the desired secret, leaving the user to have to generate a script file from a template in order to be able to feed in the specifics about the secret required. The 'include_vars' task and 'lookup' function recognise that a file is an Ansible Vault and try to decrypt it. This means that there is opportunity in a playbook to insert/inject the secret to unlock the file. This secret could be obtained from any secret management system immediately enabling integration within Ansible from that system.
I have looked through the code and may come back to it in the coming weeks to see if I could hit on an answer but hoping that someone who knows what they doing can respond/take a look. On Sunday, June 14, 2020 at 7:01:56 PM UTC+1 Kai Stian Olstad wrote: > On Sun, May 24, 2020 at 05:27:00PM -0700, FERREIRA CHRISTOPHE wrote: > > Only option i know is ask-vault-pass environment vars and vault password > file > > And scripts > https://github.com/ansible/ansible/blob/stable-2.9/contrib/vault/ > > -- > Kai Stian Olstad > -- This email and any files transmitted with it are confidential and solely for the use of the intended recipient. This message contains confidential information and is intended only for the individual named. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. Although the company has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Estafet. Employees of Estafet are expressly required not to make defamatory statements and not to infringe or authorize any infringement of copyright or any other legal right by email communications. Any such communication is contrary to company policy. The company will not accept any liability in respect of such communication, and the employee responsible will be personally liable for any damages or other liability arising. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5d2d879b-2ffb-4d2d-952d-273fc43ddb56n%40googlegroups.com.
