Skip to content

document problem and work around when needing different passwords#4

Open
tpo wants to merge 1 commit intodsedivec:masterfrom
tpo:patch-1
Open

document problem and work around when needing different passwords#4
tpo wants to merge 1 commit intodsedivec:masterfrom
tpo:patch-1

Conversation

@tpo
Copy link
Copy Markdown
Contributor

@tpo tpo commented Nov 12, 2020

I propose to document the problem and the work around when using different sets of vaults, each with set with its distinct password. Such a situation may arise when maintaining multiple ansible playbooks for different customers each with a different password.

The proposed workaround is of course a disgusting hack. One improvement to this ugly hack could maybe be to replace my_path = os.path.realpath(sys.argv[0]) in line 72 with my_path = os.path.abspath(sys.argv[0]) which would not do symlink resolution and thus allow something like this:

ls -l ansible-tools
lrwxrwxrwx 1 user group  6 Nov 12 09:00 vault_from_gpg_agent_customer_1.py -> vault_from_gpg_agent.py
lrwxrwxrwx 1 user group  6 Nov 12 09:00 vault_from_gpg_agent_customer_2.py -> vault_from_gpg_agent.py
lrwxrwxrwx 1 user group  6 Nov 12 09:00 vault_from_gpg_agent_customer_3.py -> vault_from_gpg_agent.py
-rwxr-xr-x 1 user group 78 Nov 12 09:00 vault_from_gpg_agent.py

But this also makes we wince, so it's maybe just a little improvement.

The real problem IMHO is that ansible-vault calls the external password script without any parameters whatsoever, and so the password script is completely blind (I mean it doesn't even get to know which vault-id' is being used!) and thus can't do any intelligent decision.

So maybe the right (and heroic) thing to do would be to move the discussion upstream and have the problem fixed there for good and for real by having ansible-vault pass all the necessary context to the external password script?

@tpo
document problem and work around when needing different passwords
68ed605 
I propose to document the problem and the work around when using different sets of vaults, each with set with its distinct password. Such a situation may arise when maintaining multiple ansible playbooks for different customers each with a different password.

The proposed workaround is of course a disgusting hack. One improvement to this ugly hack could maybe be to replace `my_path = os.path.realpath(sys.argv[0])` [in line 72](https://github.com/dsedivec/ansible-plugins/blob/826d0eaccc24932217efd3f6d75db4619b6ede4d/vault_from_gpg_agent.py#L72) with `my_path = os.path.abspath(sys.argv[0])` which would not do symlink resolution and thus allow something like this:

```
ls -l ansible-tools
lrwxrwxrwx 1 user group  6 Nov 12 09:00 vault_from_gpg_agent_customer_1.py -> vault_from_gpg_agent.py
lrwxrwxrwx 1 user group  6 Nov 12 09:00 vault_from_gpg_agent_customer_2.py -> vault_from_gpg_agent.py
lrwxrwxrwx 1 user group  6 Nov 12 09:00 vault_from_gpg_agent_customer_3.py -> vault_from_gpg_agent.py
-rwxr-xr-x 1 user group 78 Nov 12 09:00 vault_from_gpg_agent.py
```

But this also makes we wince, so it's maybe just a *little* improvement.

The real problem IMHO is that [ansible-vault calls the external password script](https://github.com/ansible/ansible/blob/aee7a3ed6809c93a81307466503eec630a343d9e/lib/ansible/parsing/vault/__init__.py#L454) without any parameters whatsoever, and so the password script is completely blind (I mean it doesn't even get to know which `vault-id`' is being used!) and thus can't do any intelligent decision.

So maybe the right (and heroic) thing to do would be to move the discussion upstream and have the problem fixed there for good and for real by having `ansible-vault` pass all the necessary context to the external password script?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tpo