You can use an encfs-based role from here: https://github.com/ginas/encfs(drybjed.encfs on Galaxy) to open/close encrypted directory during Ansible run, and then use lookup(), copy, fetch as normal.
2014-02-20 16:23 GMT+01:00 giulianob <[email protected]>: > Michael, > > That's pretty much exactly what I would want it to do. I currently do my > own poor man's vault by running a bash file which encrypts a folder where > all the lookup passwords are generated to. The vault as is isn't really > useful for me since all my passwords are generated per server. Is this not > a common thing? Would you have a different recommendation for how to manage > passwords in general? > > On Thursday, February 20, 2014 8:27:41 AM UTC-5, Michael DeHaan wrote: >> >> Just a minor process note -- It's often troublesome to have a discussion >> about a feature on github because less people are there to read a ticket. >> I'd much prefer we discuss feature ideas here, for most major things, >> since that allows greater discussion, and search is also better. >> >> That all being said, the basics here is that vault is designed to encrypt >> and decrypt YAML data files -- of which since Ansible is data driven is >> mostly everything. >> >> By contrast, the password lookup plugin is a clever tool, but it's a hack >> and architecturally wrong for this solution, and it was not intended to >> keep files in version control. >> >> The "random password per server" approach works on writing little stub >> files text here and there and I can see it being possible for, if >> --ask-vault-pass was set, and I can see this approach being fiddly. We're >> unlikely to want to implement this though, because the random password >> generator bits are not designed to keep all the data in one file -- it was >> an interesting plugin, but probably not implemented the way you want. >> >> What you'd propose here I think is better served by keeping a file in a >> configurable location, like >> >> {{ lookup("password2", "password.yml", "mysql/" + inventory_hostname) }} >> >> Which would store a key "mysql__{{inventory_hostname}}" in a YAML file. >> >> Basically a rearchitected alternative to the password plugin. >> >> where it would write a random password into password.yml under some_key >> and then encrypt and decrypt as needed using --ask-vault-pass. >> >> This is going to be out of scope for 1.5, and we're going to want to move >> on rather than build this for you, but if someone wants to implement this >> to the above suggested spec, I think it would be pretty interesting and >> useful. >> >> >> >> >> >> >> On Wed, Feb 19, 2014 at 9:58 PM, James Tanner <[email protected]> wrote: >> >>> On 02/19/2014 02:01 PM, giulianob wrote: >>> >>> Will this work with lookup so if it generates a pass its stored in the >>> vault automatically? >>> >>> (I asked this in the official post but didn't see my comment.) >>> >>> On Wednesday, February 19, 2014 1:20:34 PM UTC-5, James Tanner wrote: >>>> >>>> We just merged a new feature called "Ansible Vault" to devel (1.5). >>>> Please read through Michael Dehaan's blog post about the tools for basic >>>> usage: >>>> >>>> http://blog.ansibleworks.com/2014/02/19/ansible-vault/ >>>> >>>> Follow the typical bug reporting process for any issues you may find. >>>> >>>> Other notes: >>>> >>>> 1) The default encryption cipher is AES, but the framework is >>>> "pluggable" to encourage community contribution for other cipher methods. >>>> >>>> 2) All files used for a single playbook must be encrypted with the >>>> same password. >>>> >>>> >>>> Please test away! >>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >>> There is no integration with lookup plugins at the moment. If you have a >>> specific workflow or a example in mind, file a feature request on github >>> and we can consider it for later releases. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >> -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
