Last active
May 20, 2019 10:26
-
-
Save schneidr/98aca45e9d6c4e138e6e23c9d375e19a to your computer and use it in GitHub Desktop.
sudo-esque password caching behaviour for ansible vault
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # sudo-esque password caching behaviour for ansible vault | |
| # | |
| # WARNING! the password will be stored in a clear text file until 5 minutes after you used the script last | |
| # | |
| # Place this script as ansible-sudo.sh in your path | |
| # Set the following settings: | |
| # crontab -e | |
| # * * * * * find ~/.ansible/ -name password_tmp -mmin +5 -delete | |
| # .bashrc | |
| # alias ansible='ansible-sudo.sh ansible' | |
| # alias ansible-playbook='ansible-sudo.sh ansible-playbook' | |
| PASSWORDFILE=~/.ansible/password_tmp | |
| PWPARAM="" | |
| if [ ! -f $PASSWORDFILE ]; then | |
| echo -n "Vault password: " | |
| read -s PASSWORD | |
| echo | |
| if [ ! -z "$PASSWORD" ]; then | |
| echo $PASSWORD > $PASSWORDFILE | |
| chmod 0600 $PASSWORDFILE | |
| unset PASSWORD | |
| fi | |
| fi | |
| if [ -f $PASSWORDFILE ]; then | |
| PWPARAM="--vault-password-file $PASSWORDFILE" | |
| touch $PASSWORDFILE | |
| fi | |
| $1 $PWPARAM ${@:2} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-16"?> | |
| <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> | |
| <RegistrationInfo> | |
| <Date>2019-05-20T12:22:40.2340908</Date> | |
| <Author>username</Author> | |
| <URI\delete ansible password file</URI> | |
| </RegistrationInfo> | |
| <Triggers> | |
| <LogonTrigger> | |
| <Repetition> | |
| <Interval>PT1M</Interval> | |
| <Duration>P1D</Duration> | |
| <StopAtDurationEnd>false</StopAtDurationEnd> | |
| </Repetition> | |
| <Enabled>true</Enabled> | |
| <UserId>username</UserId> | |
| </LogonTrigger> | |
| </Triggers> | |
| <Principals> | |
| <Principal id="Author"> | |
| <UserId>X-X-X-XX-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX</UserId> | |
| <LogonType>InteractiveToken</LogonType> | |
| <RunLevel>LeastPrivilege</RunLevel> | |
| </Principal> | |
| </Principals> | |
| <Settings> | |
| <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> | |
| <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> | |
| <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> | |
| <AllowHardTerminate>true</AllowHardTerminate> | |
| <StartWhenAvailable>false</StartWhenAvailable> | |
| <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> | |
| <IdleSettings> | |
| <StopOnIdleEnd>true</StopOnIdleEnd> | |
| <RestartOnIdle>false</RestartOnIdle> | |
| </IdleSettings> | |
| <AllowStartOnDemand>true</AllowStartOnDemand> | |
| <Enabled>true</Enabled> | |
| <Hidden>true</Hidden> | |
| <RunOnlyIfIdle>false</RunOnlyIfIdle> | |
| <WakeToRun>false</WakeToRun> | |
| <ExecutionTimeLimit>PT1H</ExecutionTimeLimit> | |
| <Priority>7</Priority> | |
| </Settings> | |
| <Actions Context="Author"> | |
| <Exec> | |
| <Command>wsl</Command> | |
| <Arguments>find ~/.ansible/ -name password_tmp -mmin +5 -delete</Arguments> | |
| </Exec> | |
| </Actions> | |
| </Task> |
Added windows task for deleting the file since cron doesn't start automatically with windows
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I was tired of having to type the vault password for every ansible command, but didn't want to have the vault password lying around in clear text in a file. This seems like a compromise.