Specifically .. to audit and update passwords in local vault from 1pw vault for
ansible. And then use pass to produce the password when needed. If the env var
ANSIBLE_VAULT_PASSWORD_FILE is an executable .. Ansible executes it it takes
STDOUT as the password .. so the pw is stored encrypted in pass at rest. Very
convenient.
for env in ${ENVS}; do
echo " - checking ${env}"
# get password from onepassword
op_vault_pw=$( ${OP_EXE} get item ${env}_ansible_vault | jq
'.details.password' | tr -d '"' )
# test for existence and pull and validate
if [[ -d ${PASS_STORE} && \
-d ${PASS_STORE}/${env} && \
-f ${PASS_STORE}/${env}/ansible_vault_password.gpg ]]; then
pass_vault_pw=$( ${PASS_EXE} ${env}/ansible_vault_password )
fi
# write if needing update
if [[ -z "${pass_vault_pw}" || \
"${op_vault_pw}" != "${pass_vault_pw}" ]]; then
echo " - updating ${env}/ansible_vault_password password from one
password"
echo -n "${op_vault_pw}" | pass insert -e -f "${env}/ansible_vault_password"
fi
unset op_vault_pw
unset pass_vault_pw
done
ANSIBLE_VAULT_PASSWORD_FILE ...
> cat bin/ansible_vault_password
#! /bin/sh
# use pass to determine password for this env and return it
pass ${ENV}/ansible_vault_password
Where i got tripped up is forgot the -e on the 'pass insert' line .. but didnt'
get an error. Hope this makes it more clear.
- b
branson matheson
[email protected]
> On Feb 5, 2020, at 07:36, [email protected] wrote:
>
> Am 05.02.20 um 00:00 schrieb branson matheson:
>> Ran into an issue where
>>
>> echo "password" | pass insert foo/bar/baz
>
> Just out of curiosity, what is your use case for that command instead of:
>
> pass generate -i foo/bar/baz
>
> Cheers,
> _______________________________________________
> Password-Store mailing list
> [email protected]
> https://lists.zx2c4.com/mailman/listinfo/password-store
_______________________________________________
Password-Store mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/password-store
