It's a secure workaround - it is annoying though. And it adds complexity to a very common use case.
On Tue, Sep 15, 2020 at 3:04 PM Matt Martz <m...@sivel.net> wrote: > Follow the advice in > https://github.com/ansible/ansible/issues/45214#issuecomment-502300660 > > On Tue, Sep 15, 2020 at 4:45 PM 'Luke Schlather' via Ansible Development < > ansible-devel@googlegroups.com> wrote: > >> I'm trying to figure out what the best way to provide a vault password >> for a CI process is. My organization uses Azure Devops, where it is >> standard to create a secret environment variable, and make that available >> to the agent which runs my Ansible playbooks. This is also common to other >> CI systems I have used such as Gitlab, Bamboo, Jenkins, and Github Actions. >> >> I found this issue <https://github.com/ansible/ansible/issues/45214> in >> which someone claimed that it was insecure to store secrets in environment >> variables and used that as justification for closing the ticket - however >> in the typical access pattern this makes my CI pipeline less secure, since >> I still provide the secret as an environment variable - but now Ansible >> also forces me to write the secret to disk, introducing another set of >> vulnerabilities to my application (especially since the agent may be >> running on shared hardware.) >> >> Environment variables seem like the industry-standard mechanism in CI for >> sharing secrets with an agent process to run things like Ansible playbooks. >> It's perplexing that Ansible has chosen not to support this. There is a >> workaround, but it's very frustrating that the workaround actually >> decreases the security of the system relative to the straightforward >> solution of Ansible simply expecting a standard environment variable for >> the password. I'm rather perplexed and frustrated by the decision to close >> https://github.com/ansible/ansible/issues/45214 >> >> >> >> >> >> >> >> >> -- >> >> >> You received this message because you are subscribed to the Google Groups >> "Ansible Development" group. >> >> >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ansible-devel+unsubscr...@googlegroups.com. >> >> >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-devel/5048eeed-24a6-49ab-aae0-681523a42b27n%40googlegroups.com >> <https://groups.google.com/d/msgid/ansible-devel/5048eeed-24a6-49ab-aae0-681523a42b27n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> >> -- > Matt Martz > @sivel > sivel.net > -- Luke Schlather Devops and Deployment Engineer [image: STRIVR] <http://www.strivr.com/> -- You received this message because you are subscribed to the Google Groups "Ansible Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-devel/CAPq7tpO_aR0QrMTzjdd7Bqe52f6tsxbtD6ybC4u-35-_65Ogzg%40mail.gmail.com.
