Follow the advice in https://github.com/ansible/ansible/issues/45214#issuecomment-502300660
On Tue, Sep 15, 2020 at 4:45 PM 'Luke Schlather' via Ansible Development < [email protected]> wrote: > I'm trying to figure out what the best way to provide a vault password for > a CI process is. My organization uses Azure Devops, where it is standard to > create a secret environment variable, and make that available to the agent > which runs my Ansible playbooks. This is also common to other CI systems I > have used such as Gitlab, Bamboo, Jenkins, and Github Actions. > > I found this issue <https://github.com/ansible/ansible/issues/45214> in > which someone claimed that it was insecure to store secrets in environment > variables and used that as justification for closing the ticket - however > in the typical access pattern this makes my CI pipeline less secure, since > I still provide the secret as an environment variable - but now Ansible > also forces me to write the secret to disk, introducing another set of > vulnerabilities to my application (especially since the agent may be > running on shared hardware.) > > Environment variables seem like the industry-standard mechanism in CI for > sharing secrets with an agent process to run things like Ansible playbooks. > It's perplexing that Ansible has chosen not to support this. There is a > workaround, but it's very frustrating that the workaround actually > decreases the security of the system relative to the straightforward > solution of Ansible simply expecting a standard environment variable for > the password. I'm rather perplexed and frustrated by the decision to close > https://github.com/ansible/ansible/issues/45214 > > > > > > > > > -- > > > You received this message because you are subscribed to the Google Groups > "Ansible Development" group. > > > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-devel/5048eeed-24a6-49ab-aae0-681523a42b27n%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-devel/5048eeed-24a6-49ab-aae0-681523a42b27n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > > -- Matt Martz @sivel sivel.net -- You received this message because you are subscribed to the Google Groups "Ansible Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-devel/CAD8N0v93xvkXzON4woD6vaLpyNX8uzM%3DL4UsP1-u8Kxv%2BeSd5w%40mail.gmail.com.
