Skip to content

Commit

Permalink
suggested cleanups for vault password faq entry (ansible#1572)
Browse files Browse the repository at this point in the history 
* explain use case

* fixup, that needs to be in a single line

* numbered list -> subsections

reasoning: on readthedocs.io the numbered list ended up showing twice 1.

* move the vault docs paragraph up

* move the insecure option one down

* delete the example with cleartext password on disk

opinionated: I really dislike having bad security practices as
an example users might copy and paste.
It is OK to drop this commit if you disagree.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* incorporate revelant changes

---------

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: shatakshiiii <shatakshimishra01@gmail.com>
  • Loading branch information
@pcfe @pre-commit-ci @shatakshiiii
3 people authored Jul 11, 2023
1 parent 9b658ff commit ded22f5
Showing 1 changed file with 12 additions and 3 deletions.
15 changes: 12 additions & 3 deletions docs/faq.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,16 @@ $ ansible-navigator run --pass-environment-variable ANSIBLE_VAULT_PASSWORD_FILE

2. Store the vault password in an environment variable

Chances are that your environment prohibits saving passwords in clear text on
disk. If you are subject to such a rule, then this will obviously include any
command history file your shell saves to disk.

In case you use bash, you can leverage
[HISTCONTROL](https://www.gnu.org/software/bash/manual/html_node/Bash-Variables.html#index-HISTCONTROL)
and an
[environment](https://www.gnu.org/software/bash/manual/html_node/Environment.html)
variable as shown in the following example.

```bash
$ touch ~/.vault_password.sh
$ chmod 700 ~/.vault_password.sh
Expand All @@ -275,9 +285,8 @@ $ ln ~/.vault_password.sh .
# into the execution environment
$ HISTCONTROL=ignorespace
$ export ANSIBLE_VAULT_PASSWORD=my_password
# Set the environment variable to the location of the file
$ ANSIBLE_VAULT_PASSWORD_FILE=.vault_password.sh
$ ansible-navigator run site.yml
# Set the environment variable to the location of the file when executing ansible-navigator
$ ANSIBLE_VAULT_PASSWORD_FILE=.vault_password.sh ansible-navigator run site.yml
```

Additional information about `ansible-vault` can be found
Expand Down

0 comments on commit ded22f5

Please sign in to comment.