Ansible: using secrets for user password
I guess we all have a bootstrap which creates the ansible user and give it password less sudo rights. There are ways around that, but that is not what this is about. I create my use with: - name: create andible user user: name: ansible state: present password: "{{ my_secret_password | string | password_hash('sha512') }}" update_password: on_create shell: /bin/bash groups: sudo append: yes notice the 'ansible_user_password', that is variable set somewhere else: vars: ansible_user_password: !vault | $ANSIBLE_VAULT;1.1;AES256 ..... 353064646365326663373339393239363735 But where does the encrypted value come from, using 'ansible-vault' one can create encrypted values, which either are kept in password vault files, or just in your playbook (like above): $ ansible-vault encrypt_string Give it a password (this is the vault password which you need to unlock it when you run ...