[ale] help for handling passwords from dbas

Kyle Brieden kyle at txmoose.com
Tue Jun 5 13:43:50 EDT 2018

We have some secrets that must be in environment variables for 
containers, so we do something similar.  Jenkins creates a 
public/private keypair for each environment, stores the private key in 
it's secret store, then makes the pub keys available via the repos.  We 
can create an env file (literally just a file with bash variable 
assignments), name it something according to a well-known pattern, 
encrypt the file with the pub key for said environment, then push the 
encrypted file up to our internal git repos.  When jenkins runs later, 
we have logic that looks for well-known-encrypted-file-name-patterns, 
decrypts them, then uses them.

Feel free to reach out to me if you need more description of the process 
or anything.

Very respectfully,
Kyle Brieden

On 04-06-2018 23:52, Narahari 'n' Savitha via Ale wrote:
> Friends:
> Need help on how to solve an issue/
> Our DBA friends are required to type a password in (DB password) to be
> able run some SQ
> This works well.  We want to automate this.
> I am thinking that I provide the gpg public key and the DBA's w
> create a text file with user id and password on their computer and
> encrypt it with the public key.
> They upload that file to our Jenkins server and with the private key
> the script will get the password and run the script.
> This way I can do this in an alternative manner.
> Any issues with this approach and any better approach is solicited.
> I am looking at ansible-vault but not sure if it makes it any better
> or secure ?
> -Narahari
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x89C9D831.asc
Type: application/pgp-keys
Size: 3053 bytes
Desc: not available
URL: <https://mail.ale.org/pipermail/ale/attachments/20180605/4a4f951c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://mail.ale.org/pipermail/ale/attachments/20180605/4a4f951c/attachment.sig>

More information about the Ale mailing list