Support for vault-keyring script execution

[ymartin59]

Hello

I am using https://github.com/ansible/ansible/blob/devel/contrib/vault/vault-keyring.py thanks to ANSIBLE_VAULT_PASSWORD_FILE environment variable, but there are many other means to trigger it.

Instead of storing vault password in clear on disk, it is now requested from system keyring.

May you please adapt ansible::vault-password-file support so that it allows script execution, the same way ansible-vault does ?

Thank you in advance Regards Yves Martin

[k1LoW]

Hi @ymartin59 . Thank you for your request ! It's good idea!

[ymartin59]

I would like to get it... so here is what I tried

In Bash, I have setup this convenient alias

alias ansible-vault='ANSIBLE_VAULT_PASSWORD_FILE=$HOME/bin/ansible-vault-keyring.py /usr/bin/ansible-vault

and this works perfectly well.

I tried two options:

1. Replace command

(setq ansible-vault-command "ANSIBLE_VAULT_PASSWORD_FILE=/home/yma/bin/ansible-vault-keyring.py /usr/bin/ansible-vault")

2. Set environment variable

(setenv "ANSIBLE_VAULT_PASSWORD_FILE" "/home/yma/bin/ansible-vault-keyring.py")
(setq ansible-vault-command "/usr/bin/ansible-vault")

Now I wonder if Emacs try to start my Bash alias and I doubt what command results from ansible-vault--call-command... How should I debug/investigate to get it work?

Notice that each trial to open a vault file results in many /tmp/ansible-vault* files. Probably it would be safer to remove file in case of errors from ansible-vault command.