Ansible - Securing passwords with Ansible

There are a few ways that passwords can be secured with Ansible.

For example, let's say you have a playbook that has a task to create a users account. Notice in this example that password "itsasecret" is being used.

---
- hosts: all
  tasks:
  - name: create john.doe account
    user:
      name: john.doe
      password: itsasecret
      state: present
...

 

The following will be returned.

[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.

 

As the warning suggests, the password must be hashed. Notice in this example that the clear text password is included, as a string since the value is wrapped in single quotes. For security reasons, a users password is almost never embedded in the playbook like this.

---
- hosts: all
  tasks:
  - name: create john.doe account
    user:
      name: john.doe
      password: "{{ 'itsasecret' | password_hash('sha512') }}"
      state: present
...

 


vars_prompt

One option is to use vars_prompt.

Instead of creating variables in a playbook, vars_prompt can be used to create a prompt that will define a variable. In this example, 

---
- hosts: all
  vars_prompt:
  - name: password
    prompt: please enter your password
    private: yes

  tasks:
  - name: create john.doe account
    user:
      name: john.doe
      password: "{{ password }}"
      state: present
...

 

AVOID TROUBLE

The -e or --extra-vars command line optionExtra Variables in Tower and set_fact module will take precedence over the vars prompt.

 


Ansible Vault

Another option is to use the Ansible Vault. 

The ansible-vault create or ansible-vault encrypt commands are used to create an encrypted file that contains the users password.

ansible-vault create locker.yml

 

Let's say the password in locker.yml is "itsasecret". Attempting to view the locker.yml file using the cat command will display something like this.

$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531

 

Let's say users.yml is the playbook to create John Doe's user account. Here is how you could use the vault encrypted string in users.yml.

---
- hosts: all
  vars:
    password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          66303833643731313633343266616162613965636161313534376563383639646463376630626635
          3136316663626536303061333531303234616562323637330a373633393736393863373566623261
          65643764336263613730666665663763383063386137383331386136366232666637626566653032
          3933393061666138650a656238386665343838613833643435623932306539633138376533613039
          6531
  tasks:
    - name: create john.doe account
      user:
        name: john.doe
        password: "{{ '%s' | format(password) | regex_replace('\n', '') | password_hash('sha512') }}"
        state: present
...

 

When invoking users.yml to create John Doe's user account, you will either need to use the --ask-vault-pass flag to prompt you for the vault password that was used to encrypt locker.yml.

ansible-playbook users.yml --ask-vault-pass

 

Better yet, the password that was used to encrypt locker.yml could be appended to a file, such as .vault_password.txt.

echo "kdj$gj!mfn8$jf" > .vault_password.txt

 

And then update .vault_password.txt so that only the owner of the .vault_password.txt file can read and write to the .vault_password.txt file.

chmod 0600 .vault_password.txt

 

And now the --vault-password-file command line option can be used.

ansible-playbook users.yml --vault-password-file /usr/local/vault/.vault_password.txt

 


Survey (Ansible Tower)

If you are using Ansible Tower, the Survey's option can be used to prompt for a password. However, be aware that if debugging is turned up to 4 (connection debugging) the password will be logged.

 

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter cf12e in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |