Bootstrap FreeKB - Ansible - Using an encrypted password with SSH and group_vars
Ansible - Using an encrypted password with SSH and group_vars

Updated:   |  Ansible articles

This assumes you are already familiar with making an SSH connection to target servers using Ansible. If not, check out my article Ansible - Getting Started with SSH.

If you are using basic auth to connect to target servers (username / password), this is typically first done with the --ask-pass command line flag, during testing/development. However, once your testing is done, there often is a need to figure out how to make the SSH connection without the --ask-pass command line flag. You could configure the default hosts file with your SSH username and password, but this isn't ideal, since your cleartext SSH password would be in the default hosts file. Better options are:

Almost always, a vault encrypted SSH password in group_vars is used. However, let's say you have a playbook with two (or more) plays, where only one of the plays should use a vault encrypted SSH password. This is a scenario where it may make sense to create a vault encryped file with your SSH password in a vars file.

---
- name: first play
  hosts: all
  tasks:
  - include_role:
    name: foo

- name: second play
  hosts: all
  vars_files:
    - vars/ssh.yml
  tasks:
  - include_role:
    name: bar
...

 

Create the groups_vars/all directory.

mkdir --parents group_vars/all

 

Create a hidden TXT file that will contain the password you will use for your Ansible Vault. This file does not need to reside in the group_vars/all directory, but for this example, it makes sense to create the hidden TXT file in the group_vars/all directory.

touch group_vars/all/.vault_password.txt

 

Append some random password to the hidden .vault_password.txt file.

echo 'abc123xyz456' > group_vars/all/.vault_password.txt

 

Update the hidden .vault_password.txt file to be read only.

chmod 0400 group_vars/all/.vault_password.txt

 

Use the ansible-vault create command is used to create an encrypted file. The password.yml file will open in your default editor. Enter your SSH password and save password.yml.

ansible-vault create password.yml --vault-password-file group_vars/all/.vault_password.txt

 

Use the cat command to view the encrypted data returned by password.yml.

$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531

 

Create a YAML file in the group_vars/all directory. It doesn't matter what the name of the YAML file is as long as it's in the group_vars/all directory.

group_vars/all/ssh.yml

 

Update the YAML file to contain your SSH username and the encrypted content of password.yml.

IMPORTANT - Indentation matters here. There must be exactly 2 spaces before the encrypted password string

ansible_connection: ssh
ansible_user: john.doe
ansible_ssh_pass: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  66303833643731313633343266616162613965636161313534376563383639646463376630626635
  3136316663626536303061333531303234616562323637330a373633393736393863373566623261
  65643764336263613730666665663763383063386137383331386136366232666637626566653032
  3933393061666138650a656238386665343838613833643435623932306539633138376533613039
  6531

 

Remove the password.yml file, as it is no longer needed, since the encrypted password is now in the YAML file in the group_vars/all directory.

rm password.yml

 

You should now be able to connect to target servers and by default, the connection will using the SSH details in the YAML file in the group_vars/all directory. However, you are going to need to decrypt the group_vars/all/ssh.yml file. One way to do this is to include the --vault-password-file option on the command line.

ansible-playbook example.yml --inventory inventory.yml --vault-password-file group_vars/all/.vault_password.txt

 

Better yet, you could define vault_password_file your users personal ansible.cfg (e.g. /home/john.doe/ansible.cfg).

[defaults]
vault_password_file = /home/john.doe/.vault_password.txt

 

And then you should be able to run the ansible-playbook command without having to include the --vault-password-file option on the command line.

ansible-playbook example.yml --inventory inventory.yml

 

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter dce9ab in the box below so that we can be sure you are a human.