Category Archives: Jenkins

Passing Vault Passwords to Ansible Playbooks in Jenkins Pipelines using Named Pipes

The Problem

Passing vault passwords to ansible in jenkins involves one of:

  • Ansible prompting for the vault password (since 2.4 only via a tty, so no piping – although that may risk exposure of the password in the process list).
  • Pointing Ansible at a file containing the plaintext vault password – with the risk of someone finding it.
  • Pointing Ansible at a script that can (somehow) provide the vault password (from somewhere)

Another option I’ve been playing with is passing the vault password via a named pipe, where once Ansible has read the password from the pipe, it is gone – one-shot.  See below.

Named Pipes

Named Pipes aka Fifo pipes

As soon as ansible consumes the entry in the pipe, it is lost, minimising exposure of the password.

Combine with random temporary file names.

In a Jenkins Pipeline could this be simplified with a Groovy script to set this up?

Alternatively could groovy instead create a one-shot script to return the vault password if the ansible calling it can provide a shared secret to access it (e.g. environment variable passed to ansible – though this again could be visible in the process table)?

Either of the above two approaches could limit the exposure of the vault password…

Has anybody found a genuinely secure way to pass vault passwords to Ansible Playbooks in a Jenkins Pipeline?

Update:

My final solution: