-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable auth with third party services via environment variables for ansible-acme #40
Comments
Changing The main downside is that you only find out that you forgot to specify something when the DNS module fails, instead of being informed before the private key is regenerated. |
Should I submit a PR to fix this? I am currently also working on adding OpenStack support.
I'd have to modify files in my CI/CD workflow in order to inject the auth credentials into my playbooks. For CI environments where injecting files or templates doesn't work, you could still use environment variables to pass the auth info. The more sensible thing would be to issue a notice/warning when the credentials are not defined, EDIT: To clarify, my issue lies with checking in my credentials into git as plaintext inside the playbooks. Checking for env variables brings back the sanity checks. Checking the role vars is imo unecessary, as I expect someone using AWS to know the auth requirements of the AWS modules (this goes for any cloud) |
I'll reply to the remainder later (sorry I'm somewhat busy right now), but let me reply to this already:
I'm not sure why you would want to do that. What folks commonly do is fill in variables from encrypted sources, for example Ansible vault, sops (via lookup or vars plugin), Hashi Vault (via lookup), passwordstore (via lookup), ... For example, in my Let's Encrypt renewal playbook, I'm using |
I was only referring to the auth credentials from a specific cloud provider, not auth credentials overall. Specifically:
Meaning you eliminate the need for encrypted files all together by just using environment variables. At least for those parts of the playbook that interact with your cloud. |
I've implemented this in #42. |
Right now, there exist separate variables for every auth option for every auth provider.
Example:
This is imo a bit messy, as it requires users to manually override role vars in their plays,
instead of using environment variables that contain auth credentials, if so desired.
It's possible that users may want to use different credentials to interact with a multitude of cloud environments, but per default I feel it would be sensible to check if the environment variables for a specific provider are defined, and if so use them to authenticate instead.
See what I mean here:
https://docs.ansible.com/ansible/latest/collections/amazon/aws/docsite/aws_ec2_guide.html#authentication
The text was updated successfully, but these errors were encountered: