ansible-navigator icon indicating copy to clipboard operation
ansible-navigator copied to clipboard

Published 20 hours ago verified publisher icon ansible

PLease add an option to ansible-navigator to store a secret (vault/machine/whatever) as it is done in awx/tower ?

Open RobVerduijn opened this issue 3 years ago • 5 comments
trafficstars

ISSUE TYPE
  • Feature Idea

please make ansible-navigator work with --vault-id user@prompt and --ask-vault-pass

storing a password in a plaintext file is not allowed in my company

so setting either one of the following in ansible.cfg is not a solution or a workaround

[default]
# vault_password_file=/path/to/plain/text/security/violation
# vault_identity_list=first@/path/to/secyrity/violation,another@/security/violation

currently the use of ansible-navigator is not possible for any play that contains any form of vault use. which means all of the plays in use at our company

SUMMARY

RobVerduijn avatar Jan 18 '22 18:01 RobVerduijn

@RobVerduijn thanks for this!

If you run with mode stdout and playbook artifact creation disabled it should work. There's a related entry in the FAQ about var_prompt https://ansible-navigator.readthedocs.io/en/latest/faq/ but it's the same issue.

It has to do with the way navigator interacts with ansible runner. Let me know if I can explain more here, I'm happy to go into it.

When artifact file creation is disabled, we simply handoff the current stdout, stdin, and stderr to runner which is why the prompt should work. When artifact file creation is enabled, we had off a message queue and drain it which is why we can create the artifact.

LMK, brad

cidrblock avatar Jan 20 '22 18:01 cidrblock

You did mention plaintext file, not sure an environment variable is allowed (or better), but I'll put this here in case anyone else come across this where that might be a viable alternative: https://github.com/ansible/ansible-navigator/issues/491 and related https://github.com/ansible/ansible-navigator/issues/276

ty again rob for trying navigator out

cidrblock avatar Jan 20 '22 19:01 cidrblock

Hello,

After some more digging and asking around I found out I need to add the following as a workaround

-m stdout --pae false

The environment variable doesn't sound really secure,

  • setting the var will ensure the plain text password file will be automatically generated as .bash_history
  • it hides the password only for ppl who are not familiar with the echo command

Since ansible-navigator is supposed to enable devs to localay develop playbooks and test these as if they were running on awx/tower. PLease add an option to ansible-navigator to store a secret (vault/machine/whatever) as it is done in awx/tower ?

RobVerduijn avatar Jan 25 '22 08:01 RobVerduijn

You did mention plaintext file, not sure an environment variable is allowed (or better), but I'll put this here in case anyone else come across this where that might be a viable alternative: #491 and related #276

ty again rob for trying navigator out

how do I remove the waiting on author label ?

RobVerduijn avatar Feb 08 '22 16:02 RobVerduijn

Sorry about that, label gone.

Still thinking about this one.... Tricky

cidrblock avatar Feb 11 '22 22:02 cidrblock

Closing this down as we have added a new parameter enable-prompts for this issue. Please check this: https://github.com/ansible/ansible-navigator/pull/1419

shatakshiiii avatar Feb 01 '23 16:02 shatakshiiii

Hi, I didn't pay attention to this issue as I did not expect this to be fixed.

And obviously you didn't fix it.

The secrets are still unencrypted and readable for everybody with read access to the ansible.cfg

RobVerduijn avatar Sep 07 '23 22:09 RobVerduijn

https://github.com/ansible/ansible-navigator/pull/1419 does not address this issue

RobVerduijn avatar Sep 07 '23 22:09 RobVerduijn