Re: [ansible-devel] Why not environment variable to store vault secrets ?

[Fess Mage]

>
> That's pretty much it: we don't want to encourage folks to store passwords 
> in environment variables. 
>

The question is - why? Obviously env var is more secure than plain text 
file, which is current default for ansible. Of course its not the best 
available option, but still - better than now.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-devel/824533da-c90a-4a84-b5a4-7ff301d5d09a%40googlegroups.com.

Re: [ansible-devel] Why not environment variable to store vault secrets ?

[Sam Doran]

Gabriel,

> Maybe the developpers fear that some users could do things like :
> export VAULT_PASSWORD="MYPASSWORD"
> ansible-playbook ...
> 
> which is of course a bad idea because the password is written in shell 
> history... 

That's pretty much it: we don't want to encourage folks to store passwords in 
environment variables.

---

Sam

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-devel/96342B07-6229-4C48-AE3C-1E1122E84639%40redhat.com.

[ansible-devel] Why not environment variable to store vault secrets ?

[Gabriel Lewertowski]

Hi !

I wrote the PR 64383  to add 
an option for using environment to store vault secrets. The PR was 
rejected, I would like to know more about why storing secrets in 
environment is discouraged. 

If the variable is exported, it's of course not completely safe, as it 
allows processes to read the password in */proc/$PID/environ*... but it can 
be prevented with AppArmor/Selinux. Anyway, storing secrets in cleartext 
files as it is currently recommended is not safe either.
My idea was that with this feature, it would be possible to do :

read VAULT_PASSWORD
VAULT_PASSWORD=$VAULT_PASSWORD ansible-playbook ... --vault-password-env 
"VAULT_PASSWORD"

Nothing stays in the environment, nor in shell history, nor in cleartext 
file...

Maybe the developpers fear that some users could do things like :
export VAULT_PASSWORD="MYPASSWORD"
ansible-playbook ...

which is of course a bad idea because the password is written in shell 
history... 

bcoca who reviewed the PR says it's achievable by using a vault script 
which reads the environment, this is true... but obviously more "hackish" : 
you and all those using the playbook must store the script, all must always 
use the same name for the the variable. and you have to store the variable 
in the environment, which is less safe than the behavior with "read 
VAULT_PASSWORD; VAULT_PASSWORD=$VAULT_PASSWORD ansible-playbook ..."  

Thanks !
GL

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-devel/0319708a-aa02-45ea-9e96-7f30d5fad986%40googlegroups.com.