Ansible: using secrets for user password

 I guess we all have a bootstrap which creates the ansible user and give it password less sudo rights. There are ways around that, but that is not what this is about.

I create my use with:


 


notice the 'ansible_user_password', that is variable set somewhere else:

 

 
 

But where does the encrypted value come from, using 'ansible-vault' one can create encrypted values, which either are kept in password vault files, or just in your playbook (like above): 

$ ansible-vault encrypt_string

Give it a password (this is the vault password which you need to unlock it when you run your playbook!!

New Vault password:
Confirm New Vault password:

Reading plaintext input from stdin. (ctrl-d to end input, twice if your content does not already have a newline)

Type in the text you want to encrypte, like the password for your ansible user, and finish with CTRL+d, and you'll get:

Encryption successful
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          31326437316636616....

 

Now in your playbook add:
 
 
And as shown above, you use with:
password: "{{ ansible_user_password | string | password_hash('sha512') }}"
Now when you run your playbook you need to give it the vault password, which you do with '--ask-vault-pass'
$ ansible-playbook my-playbook.yml -l localhost --ask-vault-pass
btw. notice the 'string' in the above, it will not work without it.
That's it.

Comments

Popular posts from this blog

Kviknet and IPv6

Apple AirPort Express and Digital Jitter..

Apple IOS cannot download song