How to store ansible_become_pass in a vault and how to use it?

Question

I am a newbie to ansible and I am using a very simple playbook to issue sudo apt-get update and sudo apt-get upgrade on a couple of servers.

This is the playbook I am using:

---

- name: Update Servers
  hosts: my-servers
  become: yes
  become_user: root
  tasks:
    - name: update packages
      apt: update_cache=yes

    - name: upgrade packages
      apt: upgrade=dist

and this is an extract from my ~/.ansible/inventory/hosts file:

[my-servers]
san-francisco ansible_host=san-francisco ansible_ssh_user=user ansible_become_pass=<my_sudo_password_for_user_on_san-francisco>
san-diego     ansible_host=san-diego     ansible_ssh_user=user ansible_become_pass=<my_sudo_password_for_user_on_san-diego>

This is what I get if I launch the playbook:

$ ansible-playbook update-servers-playbook.yml                                                                                                                                     

PLAY [Update Servers] **********************************************************

TASK [setup] *******************************************************************
ok: [san-francisco]
ok: [san-diego]

TASK [update packages] *********************************************************
ok: [san-francisco]
ok: [san-diego]

TASK [upgrade packages] ********************************************************
ok: [san-francisco]
ok: [san-diego]

PLAY RECAP *********************************************************************
san-francisco              : ok=3    changed=0    unreachable=0    failed=0   
san-diego                  : ok=3    changed=0    unreachable=0    failed=0

What is bothering me is the fact that I have the password for my user user stored in plaintext in my ~/.ansible/inventory/hosts file.

I have read about vaults, I have also read about the best practices for variables and vaults but I do not understand how to apply this to my very minimal use case.

I also tried to use lookups. While in general they also work in the inventory file, and I am able to do something like this:

[my-servers]
san-francisco ansible_host=san-francisco ansible_ssh_user=user ansible_become_pass="{{ lookup('env', 'ANSIBLE_BECOME_PASSWORD_SAN_FRANCISCO') }}"

where this case the password would be stored in an environment variable called ANSIBLE_BECOME_PASSWORD_SAN_FRANCISCO; there is no way to look up variables in vaults as far as I know.

So, how could I organize my file such that I would be able to lookup up my passwords from somewhere and have them safely stored?

ydaetskcoR · Accepted Answer · 2018-08-30T10:20:34.883

38

You need to create some vaulted variable files and then either include them in your playbooks or on the command line.

If you change your inventory file to use a variable for the become pass this variable can be vaulted:

[my-servers]
san-francisco ansible_host=san-francisco ansible_ssh_user=user ansible_become_pass='{{ sanfrancisco_become_pass }}'
san-diego     ansible_host=san-diego     ansible_ssh_user=user ansible_become_pass='{{ sandiego_become_pass }}'

Then use ansible-vault create vaulted_vars.yml to create a vaulted file with the following contents:

sanfrancisco_become_pass: <my_sudo_password_for_user_on_san-francisco>
sandiego_become_pass    : <my_sudo_password_for_user_on_san-diego>

Then either include the vaulted file as extra vars like this:

ansible-playbook -i ~/.ansible/inventory/hosts playbook.yml --ask-vault-pass -e@~/.ansible/inventory/vault_vars

Or include the vars file in your playbook with an include_vars task:

- name        : include vaulted variables
  include_vars: ~/.ansible/inventory/vault_vars

edited Aug 30 '18 at 10:20

answered May 18 '16 at 12:44

ydaetskcoR

53,225
8
158
177

Thanks! I have tested the first solution (specifying the vault file from the command line as an option) and it works! I have to point out for others to pay attention to the `@` sign, in fact the documentation of `ansible-playbook` says for the `-e` option: «To load variables from a file, specify the file preceded by @ (e.g. @vars.yml).» – CristianCantoro May 18 '16 at 15:02
This really helped me in finding a workaround for this. Thanks :) However, I am pretty sure that this approach will store your password in your inventory file. I tried this and this appeared to be the case. However, instead it is possibe to simply pass the 'ansible_become_pass' var in your playbook and then use the --vault-ask-pass when running that playbook. – andy_roddam Apr 20 '18 at 06:16
1

You create encrypted file `vaulted_vars.yml` and you reference it as `~/.ansible/inventory/vault_vars`. Is that right? Anyway, I found that I could cleanly reference the encrypted file at the beginning of my playbook using `vars_files: [vaulted_vars.yml]`. – John McGehee Feb 06 '20 at 02:28
@andy_roddam Could you elaborate on this: `However, I am pretty sure that this approach will store your password in your inventory file`. From what I can see above, only the names of the password variables are exposed in the inventory file? – Zero3 Jan 08 '22 at 16:16

score 14 · Answer 2 · edited Apr 11 '22 at 04:55

The best way to solve this problem is to use host_vars. The easiest setup is to just put the ansible_become_pass in Vault encrypted files in the corresponding host_vars directories like this:

myplaybook.yml
host_vars/onehost.com/crypted
host_vars/otherhost.com/crypted

In the crypted files you place the assignment of the ansible_become_pass variable:

ansible_become_pass: SuperSecre3t

Create the file with ansible-vault create, edit it with ansible-vault edit.

Following the advice in the Ansible docs you need to create an additional file per host that assigns the ansible_become_passwd from the crypted variable that has a different name. That way it is possible to search for the ansible_become_passwd in the project files.

myplaybook.yml
host_vars/onehost.com/plain
host_vars/onehost.com/crypted
host_vars/otherhost.com/plain
host_vars/otherhost.com/crypted

where a plain file contains something like this:

ansible_become_pass: "{{ vaulted_become_pass }}"

and the crypted file sets the vaulted_become_pass like shown above.

All crypted files must be encrypted with the same key and ansible-playbook must be called with --ask-vault-pass.

Thank you, your approach with the `host_vars` works great as explained at: [`host_vars` files](https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html#organizing-host-and-group-variables) It has only **2 issues**: **1)** the content of `crypted` must be: `vaulted_become_pass: SuperSecre3t` **2)** each file must contain the starting dashes to be parsed as yaml `---` . Fixing those issues it works fine for Multi Host Infrastructure — Bodo Hugo Barwich, Sep 07 '20 at 11:40
the missing dashes `---` result in the Connection Error: `fatal: [otherhost.com]: FAILED! => { "msg": "Timeout (32s) waiting for privilege escalation prompt: " }` because the files are not interpreted as `.yaml` files — Bodo Hugo Barwich, Sep 07 '20 at 11:44

score 7 · Answer 3 · answered Apr 20 '18 at 06:14

After setting up an inventory with your own relevant settings. These settings assume that you have already set up a rsa-key pair to access your server. You should be able to ssh into your server with ssh remoteuser@155.42.88.199

[local]
localhost    ansible_connection=local

[remote]
155.42.88.199   ansible_connection=ssh    ansible_user=remoteuser ansible_become_user=root ansible_become=yes  ansible_ssh_private_key_file=<private_key_file_path>

You need to store your root password in a file (I called mine 'my_vault.yml'). You can do this with the following command:

~/.ansible$ ansible-vault create my_vault.yml

Simple store your remote server password as follows (do not include the '<>' tags)

su_password: <myreallyspecialpassword>

The password will now be encrypted by vault and the only way to view this is to enter the following command.

~/.ansible$ ansible-vault edit my_vault.yml

We now need to include our 'my_vault.yml' file in our playbook. We can do this by using vars-files to get the value of su-password. We can now create a var titled ansible_become_pass which will be passed the value from our my_vault.yml file which will allow our remoteuser to su once on the server.

---
- name: My Awesome Playbook
  hosts: remote
  become: yes

  vars_files:
    - ~/.ansible/my_vault.yml 

  vars:
    ansible_become_pass: '{{ su_password }}'

  roles:
      - some_awesome_role

As we are using vault each time we want to run this playbook we need to use the following command.

ansible-playbook myawesome_playbook.yml --ask-vault-pass

How to store ansible_become_pass in a vault and how to use it?

3 Answers3

Linked