There are a few ways that passwords can be secured with Ansible.
For example, let's say you have a playbook that has a task to create a users account. Notice in this example that password "itsasecret" is being used.
---
- hosts: all
tasks:
- name: create john.doe account
user:
name: john.doe
password: itsasecret
state: present
...
The following will be returned.
[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.
As the warning suggests, the password must be hashed. Notice in this example that the clear text password is included, as a string since the value is wrapped in single quotes. For security reasons, a users password is almost never embedded in the playbook like this.
---
- hosts: all
tasks:
- name: create john.doe account
user:
name: john.doe
password: "{{ 'itsasecret' | password_hash('sha512') }}"
state: present
...
vars_prompt
One option is to use vars_prompt.
Instead of creating variables in a playbook, vars_prompt can be used to create a prompt that will define a variable. In this example,
---
- hosts: all
vars_prompt:
- name: password
prompt: please enter your password
private: yes
tasks:
- name: create john.doe account
user:
name: john.doe
password: "{{ password }}"
state: present
...
AVOID TROUBLE
The -e or --extra-vars command line option, Extra Variables in Tower and set_fact module will take precedence over the vars prompt.
Ansible Vault
Another option is to use the Ansible Vault.
The ansible-vault create or ansible-vault encrypt commands are used to create an encrypted file that contains the users password.
ansible-vault create locker.yml
Let's say the password in locker.yml is "itsasecret". Attempting to view the locker.yml file using the cat command will display something like this.
$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531
Let's say users.yml is the playbook to create John Doe's user account. Here is how you could use the vault encrypted string in users.yml.
---
- hosts: all
vars:
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531
tasks:
- name: create john.doe account
user:
name: john.doe
password: "{{ '%s' | format(password) | regex_replace('\n', '') | password_hash('sha512') }}"
state: present
...
When invoking users.yml to create John Doe's user account, you will either need to use the --ask-vault-pass flag to prompt you for the vault password that was used to encrypt locker.yml.
ansible-playbook users.yml --ask-vault-pass
Better yet, the password that was used to encrypt locker.yml could be appended to a file, such as .vault_password.txt.
echo "kdj$gj!mfn8$jf" > .vault_password.txt
And then update .vault_password.txt so that only the owner of the .vault_password.txt file can read and write to the .vault_password.txt file.
chmod 0600 .vault_password.txt
And now the --vault-password-file command line option can be used.
ansible-playbook users.yml --vault-password-file /usr/local/vault/.vault_password.txt
Survey (Ansible Tower)
If you are using Ansible Tower, the Survey's option can be used to prompt for a password. However, be aware that if debugging is turned up to 4 (connection debugging) the password will be logged.
Did you find this article helpful?
If so, consider buying me a coffee over at