How can I provide the SSH user passwords for a set of hosts in ansible using vault - McMap

About

How can I provide the SSH user passwords for a set of hosts in ansible using vault

Asked 21/6, 2018 at 17:3 Answered 21/6, 2018 at 17:38

ansible ansible-inventory ansible-vault

L

1

5

Considering the following Ansible hosts file:

[webservers]        
server1.example.com ansible_ssh_pass=1234567
server2.example.com ansible_ssh_pass=2345678
server3.example.com ansible_ssh_pass=3456789

I would like to include these password values from a vault file and have a hosts file like (my intention is to have an ini inventory format):

[webservers]        
server1.example.com ansible_ssh_pass={{ ssh_pass }}
server2.example.com ansible_ssh_pass={{ ssh_pass }}
server3.example.com ansible_ssh_pass={{ ssh_pass }}

where the sss_pass variable comes from vaulted files defined in host_vars folder.

The relevant ansible folder structure looks like this:

playbook.yml
inventories/
  atlanta/
    group_vars/
    hosts
    host_vars/
      server1.example.com
      server2.example.com
      server3.example.com

But ansible is complaining:

[WARNING]:  * Failed to parse /root/hsm-ansible-deploy/inventories/atlanta/hosts with ini plugin: /root/hsm-ansible-deploy/inventories/atlanta/hosts:18: Expected key=value host variable assignment, got: ssh_pass

Why do I get the error?
How can I import passwords into the hosts file?

Lucretialucretius answered 21/6, 2018 at 17:3 Comment(3)

This is a typo. Space character is a separator. Use quotes or delete spaces.　Listed questions are irrelevant. – Pelmas 21/6, 2018 at 17:22

Thanks! Indded syntax error. Also I found another solution where the ansible_ssh_pass: "{{ ssh_pass }}" can actually be defined in group_vars then the hosts file is even cleaner. – Lucretialucretius 21/6, 2018 at 17:31

OK, I rephrased the questions and gave an answer based on your indication and my findings. Thanks! – Lucretialucretius 21/6, 2018 at 17:40

L

6

As indicated by @techraf this is only a syntax issue. The correct way of writing the ini hosts file is:

[webservers]        
server1.example.com ansible_ssh_pass="{{ ssh_pass }}"
server2.example.com ansible_ssh_pass="{{ ssh_pass }}"
server3.example.com ansible_ssh_pass="{{ ssh_pass }}"

But I also found a more elegant solution where the hosts file is even more elegant, by not providing the ansible_ssh_pass variable at all in hosts:

[webservers]        
server1.example.com
server2.example.com
server3.example.com

and using the group_vars/all to define this variable there:

---
ansible_ssh_pass: "{{ vault_ansible_ssh_pass }}"

where vault_ansible_ssh_pass is defined in each of the hosts secrets vaulted files like host_vars/server1.example.com

---
vault_ansible_ssh_pass: "my secret password"

and then these files are encrypted using ansible-vault:

ansible-vault encrypt inventories/atlanta/host_vars/server*/vault --vault-password-file ~/.vault_pass.txt

where ~/.vault_pass.txt contains in clear text the ansible vault password.

Lucretialucretius answered 21/6, 2018 at 17:38 Comment(1)

Why not having the variable in each host_vars file simply called ansible_ssh_pass? This way the even the group var would be unnecessary. – Carabineer 24/1, 2020 at 8:38

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.