Commit Graph

8 Commits (ff28429e2a39bb1696e629205b6087c7c5ae1988)

Author SHA1 Message Date
Matt Clay 797664d9cb Python 2.6 `str.format()` compatibility fixes. 7 years ago
Adrian Likins 297dfb1d50 Vault secrets script client inc new 'keyring' client (#27669)
This adds a new type of vault-password script  (a 'client') that takes advantage of and enhances the 
multiple vault password support.

If a vault password script basename ends with the name '-client', consider it a vault password script client. 

A vault password script 'client' just means that the script will take a '--vault-id' command line arg.

The previous vault password script (as invoked by --vault-password-file pointing to an executable) takes
no args and returns the password on stdout. But it doesnt know anything about --vault-id or multiple vault
passwords.

The new 'protocol' of the vault password script takes a cli arg ('--vault-id') so that it can lookup that specific
vault-id and return it's password.

Since existing vault password scripts don't know the new 'protocol', a way to distinguish password scripts
that do understand the protocol was needed.  The convention now is to consider password scripts that are
named like 'something-client.py' (and executable) to be vault password client scripts.

The new client scripts get invoked with the '--vault-id' they were requested for. An example:

     ansible-playbook --vault-id my_vault_id@contrib/vault/vault-keyring-client.py some_playbook.yml

That will cause the 'contrib/vault/vault-keyring-client.py' script to be invoked as:

     contrib/vault/vault-keyring-client.py --vault-id my_vault_id

The previous vault-keyring.py password script was extended to become vault-keyring-client.py. It uses
the python 'keyring' module to request secrets from various backends. The plain 'vault-keyring.py' script
would determine which key id and keyring name to use based on values that had to be set in ansible.cfg.
So it was also limited to one keyring name.

The new vault-keyring-client.py will request the secret for the vault id provided via the '--vault-id' option.
The script can be used without config and can be used for multiple keyring ids (and keyrings).

On success, a vault password client script will print the password to stdout and exit with a return code of 0.
If the 'client' script can't find a secret for the --vault-id, the script will exit with return code of 2 and print an error to stderr.
7 years ago
Matt Martz e2f16cfaf7 Port vault-keyring.py to properly load the config. Fixes #31304 (#31315) 7 years ago
Justin Mayer fda131504b Support multiple vault passwords in keyring script
Allows users to specify a key name in a given project’s `ansible.cfg`
file and thus handle keyring integration with vaults with different
passwords. If no key name is specified, the original default `ansible`
key name will be used.

Other improvements:

* `username` is now optional; defaults to user that invokes the script
* change string interpolation to new `.format()` style
* clean up and expand upon documentation
* enforce PEP 8 compliance
8 years ago
Brian Coca 18214e5948 added metadata to vault scrypt 8 years ago
Adrian Likins 675561e116 fix vault-keyring.py 'No [vault] section' error
vault-keyring.py was using an older version of
the ansible.constants.load_config_file() API.
The newer version returns a tuple, which caused
the config load to fail and a catch all exception
to blame it on a missing section.

Update to new API, and catch the ConfigParser error
specifically.

Fixes #15984
9 years ago
Matt Martz bf52e541fb Add newline when printing the password 9 years ago
Matt Martz 6d1a834b81 Add vault-keyring.py contrib script that can be used with --vault-password-file 9 years ago