Ansible: using secrets for user password

 I guess we all have a bootstrap which creates the ansible user and give it password less sudo rights. There are ways around that, but that is not what this is about.

I create my use with:


 


notice the 'ansible_user_password', that is variable set somewhere else:

 

 
 

But where does the encrypted value come from, using 'ansible-vault' one can create encrypted values, which either are kept in password vault files, or just in your playbook (like above): 

$ ansible-vault encrypt_string

Give it a password (this is the vault password which you need to unlock it when you run your playbook!!

New Vault password:
Confirm New Vault password:

Reading plaintext input from stdin. (ctrl-d to end input, twice if your content does not already have a newline)

Type in the text you want to encrypte, like the password for your ansible user, and finish with CTRL+d, and you'll get:

Encryption successful
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          31326437316636616....

 

Now in your playbook add:
 
 
And as shown above, you use with:
password: "{{ ansible_user_password | string | password_hash('sha512') }}"
Now when you run your playbook you need to give it the vault password, which you do with '--ask-vault-pass'
$ ansible-playbook my-playbook.yml -l localhost --ask-vault-pass
btw. notice the 'string' in the above, it will not work without it.
That's it.

Comments

Popular posts from this blog

MacOS + Skoda - WV - Seat - Not able to extract Admudsen GPS Map Update

"Almost good enough"

Apple AirPort Express and Digital Jitter..