vscode-ansible icon indicating copy to clipboard operation
vscode-ansible copied to clipboard
verified publisher icon ansible

Support password clients to edit vaulted files/data

Open bendem opened this issue 4 years ago • 2 comments

ansible-vault supports executing programs, passing them --vault-id $vault_id. I see 2 ways this could be solved:

  1. user interaction required: ask the user for the vault-id string in a popup (user enters vault-name@$whatever)
    • if $whatever is prompt, prompt for the password interactively
    • if $whatever isn't prompt, use it as is
  2. no user interaction required: let the user configure the right part of the vault-id (be it a file or a password client) and try to detect the vault name from the file, construct the vault-id based on that, if it doesn't work, fall back to 1.

bendem avatar Apr 28 '21 07:04 bendem

@bendem Based on how other Ansible features are implemented, I could guess that if the filename mentioned does not exist on disk or if is an executable, ansible will execute it.

I was able to find some information https://docs.ansible.com/ansible/latest/user_guide/vault.html#storing-passwords-in- third-party-tools-with-vault-password-client-scripts but I am not sure how to implement this vscode. If the documentation is right, presence of prompt on stderr is an indication that this command is interactive.

If you really want to enable this use case, please try to implement it. As I do find it not widely used I doubt someone that does not use it will spend time implementing it.

I will be more than happy to review a PR that adds this feature.

ssbarnea avatar Apr 28 '21 08:04 ssbarnea

If ansible-vault finds a file that's executable, it will execute it without any argument, but that that doesn't work if you use the newer system with named vaults.

That's why password clients were created (I assume): if the file is executable and ends with -client (after stripping the extension), it will pass what the user gave as vault name (left hand part of the vault-id). The catch here (and where, I think, an extension brings values) is that even though the vault name is written inside the file, ansible doesn't even try to use it, the user has to manually provide it, meaning it's useless to set vault_password_file. The extension could do that work for us.

We use this at work to be able to share out vault passwords securely (shared keepass database, bitwarden organisations or hashicorp vault). The client fetches the password from the database automatically if the user has access to the password, no interaction required (works for CI too).

I'm no vscode extension developer sadly. I can try, but no promise there.

bendem avatar Apr 28 '21 10:04 bendem