Ansible: using secrets for user password

Get link
Facebook
X
Pinterest
Email
Other Apps

December 22, 2022

I guess we all have a bootstrap which creates the ansible user and give it password less sudo rights. There are ways around that, but that is not what this is about.

I create my use with:

- name: create andible user
    user:
      name: ansible
      state: present        
      password: "{{ my_secret_password | string | password_hash('sha512') }}"
      update_password: on_create
      shell: /bin/bash
      groups: sudo
      append: yes

notice the 'ansible_user_password', that is variable set somewhere else:

vars:
    ansible_user_password: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      .....
      353064646365326663373339393239363735

But where does the encrypted value come from, using 'ansible-vault' one can create encrypted values, which either are kept in password vault files, or just in your playbook (like above):

$ ansible-vault encrypt_string

Give it a password (this is the vault password which you need to unlock it when you run your playbook!!

New Vault password:
Confirm New Vault password:

Reading plaintext input from stdin. (ctrl-d to end input, twice if your content does not already have a newline)

Type in the text you want to encrypte, like the password for your ansible user, and finish with CTRL+d, and you'll get:

Encryption successful
!vault |
$ANSIBLE_VAULT;1.1;AES256
31326437316636616....

$ ansible-vault encrypt_string
New Vault password:
Confirm New Vault password:
Reading plaintext input from stdin. (ctrl-d to end input, twice if your content does not already have a newline)
this is a test
Encryption successful
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          31326437316636616432653738376531636436653463346363366661656334646532313036346563
          6131636231646365383865336139306266323732343264350a363362663337303434653161393161
          32623661393736666462646461356334626439623262656136383265393238316264373364666531
          3732336534633165390a613839373737346439363866623436303366393237613833303034336438
          6537

Now in your playbook add:

vars:
    my_secret_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          313264373166366164326....

And as shown above, you use with:

password: "{{ ansible_user_password | string | password_hash('sha512') }}"

Now when you run your playbook you need to give it the vault password, which you do with '--ask-vault-pass'

$ ansible-playbook my-playbook.yml -l localhost --ask-vault-pass

btw. notice the 'string' in the above, it will not work without it.

That's it.

Get link
Facebook
X
Pinterest
Email
Other Apps

Comments

Britney said…

This was a llovely blog post

October 18, 2024 at 1:19 AM

Kviknet and IPv6

October 23, 2022

I decided to switch ISP, mainly due to Hiper (Danish) was using a VLAN for their connection which made pfSense and my APU3 board require a reboot everytime I changed anything. Kviknet has a good reputation (wonder why) in Denmark, they are not cheap and they have the same opening hours as everyone else - meaning until 16:30 and closed during weekends. I sometimes wonder how companies who need 24/7 internet get on with that ... well it's Denmark. Kviknet has an interesting way to do IPv6, your router get and SLAAC assigned IPv6 address on the public side (wan) and you get a ::/48 network from Kviknet to use on your lan. To some degree it does make sense, you can then configure your lan with static addresses as you see fit, and for dynamic assignment you use RA stateless dhcp *) ... which works for everything. (I need to get my piHole configured with an static IPv6 so that I can use that ...). pfSense is a pain, I do like it, but they are light years behind their main c...

Apple AirPort Express and Digital Jitter..

August 05, 2016

I'm doing something which I can't really afford, but doing it anyway ... I'm upgrading my Stereo ... I like music, and believe it should be played at the highest affordable quality. So after getting a new Stereo Amp (Creek Evolution 50A), I got a new Phono Amp. and then started looking for a DAC ... and after reading I do not know how many posts I decided to get an S.M.S.L M8 (from Amazon fro €249.99), not too expensive and according to what I can read very good. So I got it hooked it up to my amp, connected my Notebook (Macbook Air 11" / 2011) using USB ... sounded nice, then my Macbook Pro Retina with digital (fiber) in some way better than USB, slightly more air and openness. Then decided to use my old Apple Airport Express ( MB321LL/A - 802.11n version 1) using it's digital output (I don't like the build in DAC - it's a bit too dark for me), and this is where I started having doubts about my buy. There was drop out, all the time. Right I changed, to...

MacOS Ventura: not able to ssh to ruckus switch (diffie-hellman-group1-sha1)

December 09, 2022

I upgrade to Ventura and replaced my Intel MacMini with an M2 MacBook Air ... everything was working, then I wanted to ssh to my Ruckus ICX 7150-C12 (08.0.95fT211), and got an error: Unable to negotiate with my-switch port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 Hummm, WTF.... I've seen similar things before when you upgrade FW or OS suddenly ssh will no longer work as a protocol or cipher have been deprecated. As I do not feel like upgrading my switch I had to do something else. I found this on serverfaul t, helped to a part of the way, and then a bit more googling I found the solution, which might be overkill. I ended up adding this in my ~/.ssh/config for the switch: Host my-switch KexAlgorithms=+diffie-hellman-group1-sha1 PubkeyAcceptedKeyTypes ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512 HostkeyAlgorithms +ssh-rsa And now I can access my switch again. Yes, I know upgrading...

Casper's Life