You have to make the script executable, otherwise it's just a random file that is read.
If you make it executable, ansible will execute it, and take the password from stdout of the script. On Thu, Sep 17, 2020 at 4:46 PM 'Luke Schlather' via Ansible Development < [email protected]> wrote: > Wait, I think the advice in > https://github.com/ansible/ansible/issues/45214#issuecomment-502300660 is > flat-out wrong. Ansible doesn't evaluate the bash, it just uses the script > as the password. That is really dangerous to have that given out as "the > way to do it." People will think it's right and end up basically using no > password. > > There is an obvious workaround that involves writing the password to a > temp file, but again, this makes the entire system less secure. > > On Wed, Sep 16, 2020 at 7:04 AM [email protected] < > [email protected]> wrote: > >> Fully agree with you! >> >> >> >> It’s a pity that this isn’t supported via environment variable. >> >> Also in the linked issue it is very well argued why the “workaround” is >> way more unsafe and violates more rules than the environment variable would. >> >> >> >> *FLORIAN FLOIMAIR* >> Software Development - IMS >> >> Commend International GmbH >> Saalachstrasse 51 >> 5020 Salzburg, Austria >> >> *commend.com <http://commend.com>* >> >> LG Salzburg / FN 178618z >> >> [email protected] schrieb am Mittwoch, 16. September 2020 um >> 00:32:32 UTC+2: >> >>> It's a secure workaround - it is annoying though. And it adds complexity >>> to a very common use case. >>> >>> On Tue, Sep 15, 2020 at 3:04 PM Matt Martz <[email protected]> wrote: >>> >>>> Follow the advice in >>>> https://github.com/ansible/ansible/issues/45214#issuecomment-502300660 >>>> >>>> On Tue, Sep 15, 2020 at 4:45 PM 'Luke Schlather' via Ansible >>>> Development <[email protected]> wrote: >>>> >>>>> I'm trying to figure out what the best way to provide a vault password >>>>> for a CI process is. My organization uses Azure Devops, where it is >>>>> standard to create a secret environment variable, and make that available >>>>> to the agent which runs my Ansible playbooks. This is also common to other >>>>> CI systems I have used such as Gitlab, Bamboo, Jenkins, and Github >>>>> Actions. >>>>> >>>>> I found this issue <https://github.com/ansible/ansible/issues/45214> >>>>> in which someone claimed that it was insecure to store secrets in >>>>> environment variables and used that as justification for closing the >>>>> ticket >>>>> - however in the typical access pattern this makes my CI pipeline less >>>>> secure, since I still provide the secret as an environment variable - but >>>>> now Ansible also forces me to write the secret to disk, introducing >>>>> another >>>>> set of vulnerabilities to my application (especially since the agent may >>>>> be >>>>> running on shared hardware.) >>>>> >>>>> Environment variables seem like the industry-standard mechanism in CI >>>>> for sharing secrets with an agent process to run things like Ansible >>>>> playbooks. It's perplexing that Ansible has chosen not to support this. >>>>> There is a workaround, but it's very frustrating that the workaround >>>>> actually decreases the security of the system relative to the >>>>> straightforward solution of Ansible simply expecting a standard >>>>> environment >>>>> variable for the password. I'm rather perplexed and frustrated by the >>>>> decision to close https://github.com/ansible/ansible/issues/45214 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Ansible Development" group. >>>>> >>>>> >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> >>>>> >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/ansible-devel/5048eeed-24a6-49ab-aae0-681523a42b27n%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/ansible-devel/5048eeed-24a6-49ab-aae0-681523a42b27n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>>> >>>>> -- >>>> Matt Martz >>>> @sivel >>>> sivel.net >>>> >>> >>> >>> -- >>> Luke Schlather >>> Devops and Deployment Engineer >>> [image: STRIVR] <http://www.strivr.com/> >>> >>> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Ansible Development" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ansible-devel/JO9WikQpEmc/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-devel/b2edd6da-29e6-4e85-992d-e11d6f4cc9b0n%40googlegroups.com >> <https://groups.google.com/d/msgid/ansible-devel/b2edd6da-29e6-4e85-992d-e11d6f4cc9b0n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > Luke Schlather > Devops and Deployment Engineer > [image: STRIVR] <http://www.strivr.com/> > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Development" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-devel/CAPq7tpPeheEddte44RJNOyBDyNmmEMGdXvQJbbxjgf5E84k6jg%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-devel/CAPq7tpPeheEddte44RJNOyBDyNmmEMGdXvQJbbxjgf5E84k6jg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- Matt Martz @sivel sivel.net -- You received this message because you are subscribed to the Google Groups "Ansible Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-devel/CAD8N0v-e0JVHgOrV3x0GubNv5%3DwZyfaXY1kitf%3D%2Brjz%2B7Ldj5w%40mail.gmail.com.
