I guess we all have a bootstrap which creates the ansible user and give it password less sudo rights. There are ways around that, but that is not what this is about.
I create my use with:
notice the 'ansible_user_password', that is variable set somewhere else:
But where does the encrypted value come from, using 'ansible-vault' one can create encrypted values, which either are kept in password vault files, or just in your playbook (like above):
$ ansible-vault encrypt_string
Give it a password (this is the vault password which you need to unlock it when you run your playbook!!
New Vault password:
Confirm New Vault password:
Reading plaintext input from stdin. (ctrl-d to end input, twice if your content does not already have a newline)
Type in the text you want to encrypte, like the password for your ansible user, and finish with CTRL+d, and you'll get:
Encryption successful
!vault |
$ANSIBLE_VAULT;1.1;AES256
31326437316636616....
Now in your playbook add:
Comments