How can I pass a password to my python script when it prompts for a password. I do not want the user to enter the password when it prompts. It should be passed directly from the script.
subprocess.run(['ansible-vault', 'decrypt', 'main.yml', 'linux.yml','--ask-vault-pass'])
While running the script it prompts for the password. I want the password to be passed from script only not by the user or passing a password file.
Is there a way to pass the password here? I have other ansible vault option like vault-password etc but that doesn't serve my purpose.
Instead of using the cmdline ansible-vault, you can use the Python package - ansible-vault which will allow you to hardcode the password inside the script itself:
from ansible_vault import Vault
vault = Vault('password')
main_data = vault.load(open('main.yml').read())
linux_data = vault.load(open('linux.yaml').read())
As you are hardcoding the password inside the code, ensure you don't commit this code anywhere or send it to anyone, it's a serious security risk.
Related
I made a service with python which will call this app made with pyinstaller using subprocess.popen. It makes a call to getpass.getuser() but instead of the username it returns the computer-name.
I've tried getpass.getuser() / os.environ['username'] / win32api.GetUserName()
but all return Computer-Name and not username.
BTW here, computer name refers to "DESKTOP-Q..." and username is the username of the person logged in ( here "wasim" )
Any method to get the username and not the computer-name ?
Ok i solved it ! not by using getpass but by using psutil.
so the service by default runs under LOCAL SYSTEM account, which means it's running in a completely different environment.
my situation required me to have the service running in LOCAL SYSTEM account and not the user's account as the user of the system may change ( from AD ).
to achieve this i did...
>>> import psutil
>>> psutil.users()[0].name
psutil.users() returns a list of logged in users
I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it.
I have seen this question and that one, but I wonder if I can securely pass the password via the subprocess environment like that:
import subprocess, os
user_password = input("what is you password?")
my_env = os.environ.copy()
my_env["userpass"] = user_password
my_command = "python --version"
subprocess.Popen(my_command, env=my_env)
Will the password be flushed once the python script is closed ? I have look at the subprocess documentation but it's not explained.
When I add this line print(os.environ['userpass']) at the end of my code to print the OS environment, I can retrieve the user password. Do it means that the password can be access by the other running processes ?
Edit: I can't pipe the password as the command I use doesn't read its password from standard input
I'm using the Python requests library to make a call to an API that requires Windows Authentication. In C# I have always used the Directory Services, which has allowed me to avoid putting passwords in any of my code or configurations. From what I have found online, it seems that my only option in Python is to have a password somewhere. I have a service account that I will use, but I need to store the password securely. What is the best way to securely store and retrieve a service account password in Python without hard coding plain text?
The code that I am currently using is below. I have the username and password stored in plain text in my configuration:
auth = HttpNtlmAuth(
config.ServiceAccount["Username"],
config.ServiceAccount["Password"]
)
content = requests.post(call_string, json=parameters, auth=auth)
Edit: I should mention that this will not be a user-facing application. It will run as a batch job. So there will not be any way for a user to enter the username/password while running the application.
You could just not store the password at all and require the user to provide the password at runtime
import getpass
user = getpass.getuser()
password = getpass.getpass()
Otherwise, you could do something similar to git and just have the user store their password in plaintext in a config file in their home directory that you then read at runtime.
I know I asked this question a while ago, but I found a better solution to the NTLM/Windows authentication. I used the requests_negotiate_sspi library to avoid any passwords:
from requests_negotiate_sspi import HttpNegotiateAuth
auth = HttpNegotiateAuth()
content = requests.post(call_string, json=parameters, auth=auth)
I want to access HDFS jceks (password alias is created) in python script for secure login. Can anyone help with with python code /steps to do so.
Thank you
You may use the hadoop configuration to access the password from python code.
Only thing you would need is to instanciate a hadoop configuration and use the property hadoop.security.credential.provider.path to set and retrieve the password using getPassword
You could use Spark also to read the jecks password from inside your code:
Python:
spark1 = SparkSession.builder.appName("xyz").master("yarn").enableHiveSupport().config("hive.exec.dynamic.partition", "true").config("hive.exec.dynamic.partition.mode", "nonstrict").getOrCreate()
x = spark1.sparkContext._jsc.hadoopConfiguration()
x.set("hadoop.security.credential.provider.path", "jceks://file///localpathtopassword")
a = x.getPassword("<password alias>")
passw = ""
for i in range(a.__len__()):
passw = passw + str(a.__getitem__(i))
In the above code you shall get the password string in passw
I have a script which will log into a STMP server (GMail's) to send an email notification. How can I do this without distributing the password in plain text?
Have the script request the password when running.
Note, I wouldn't advise that it accept the password as a command line argument as this isn't very secure because it will be logged in the command history etc.
You can have the script look for an environmental variable for the password:
import os
password = os.environ['GMAIL_PASSWD']
check if your provider offers an smtp server that doesn't require authentication and use that instead.