Ansible - Become and --vault-password-file command line option

If you are not familiar with "become", check out Ansible - Understanding Become Privilege Escalation.

When using "become" to perform a task that requires privilege escalation, there are scenario's where you need to pass in the become password. For example, let's say become is being used to reboot a system.

---
- hosts: all
  tasks:
    - name: "reboot using sudo"
      shell: "sudo reboot"
      warn: no
      become: yes

 

In this scenario, the --ask-become-pass command line flag is commonly used to pass in John Doe's password.

[john.doe server1]# ansible-playbook playbook.yml --become-ask-pass

 

Which would produce a prompt for John Doe's password.

BECOME password:

 

An alternative approach is to use the --vault-password-file command line option to pass in John Doe's password. First, the ansible-vault create command must be used to create an encrypted file that contain's John Doe's password. In this example, two passwords will be created.

  • .become_password.txt will be secure by some random password - let's say the password is "foo"
  • .become_password.txt will contain John Doe's password - let's say the password is "bar"
ansible-vault create .become_password.txt

 

A second file will be created. In this example, the second file is named .vault_password.txt.

touch .vault_password.txt

 

Ensure only the owner of the file and create and write to the file.

chmod 0600 .vault_password.txt

 

Append your vault password to the hidden password file ("foo" in this example).

echo "itsasecret" > .vault_password.txt

 

Now you can invoke the ansible-playbook command with the --vault-password-file option followed by .vault_password.txt to pass in John Doe's password. The play should be executed without being prompted for the become password.

ansible-playbook playbook.yml --vault-password-file .vault_password.txt

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter 76859 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |