How to store ansible_become_pass in a vault and how to use it?
The best way to solve this problem is to use host_vars. The easiest setup is to just put the ansible_become_pass
in Vault encrypted files in the corresponding host_vars directories like this:
myplaybook.yml
host_vars/onehost.com/crypted
host_vars/otherhost.com/crypted
In the crypted
files you place the assignment of the ansible_become_pass
variable:
ansible_become_pass: SuperSecre3t
Create the file with ansible-vault create
, edit it with ansible-vault edit
.
Following the advice in the Ansible docs you need to create an additional file per host that assigns the ansible_become_passwd
from the crypted variable that has a different name. That way it is possible to search for the ansible_become_passwd
in the project files.
myplaybook.yml
host_vars/onehost.com/plain
host_vars/onehost.com/crypted
host_vars/otherhost.com/plain
host_vars/otherhost.com/crypted
where a plain
file contains something like this:
ansible_become_pass: "{{ vaulted_become_pass }}"
and the crypted
file sets the vaulted_become_pass
like shown above.
All crypted
files must be encrypted with the same key and ansible-playbook
must be called with --ask-vault-pass
.
After setting up an inventory with your own relevant settings. These settings assume that you have already set up a rsa-key pair to access your server. You should be able to ssh into your server with ssh [email protected]
[local]
localhost ansible_connection=local
[remote]
155.42.88.199 ansible_connection=ssh ansible_user=remoteuser ansible_become_user=root ansible_become=yes ansible_ssh_private_key_file=<private_key_file_path>
You need to store your root password in a file (I called mine 'my_vault.yml'). You can do this with the following command:
~/.ansible$ ansible-vault create my_vault.yml
Simple store your remote server password as follows (do not include the '<>' tags)
su_password: <myreallyspecialpassword>
The password will now be encrypted by vault and the only way to view this is to enter the following command.
~/.ansible$ ansible-vault edit my_vault.yml
We now need to include our 'my_vault.yml' file in our playbook. We can do this by using vars-files
to get the value of su-password
. We can now create a var titled ansible_become_pass
which will be passed the value from our my_vault.yml
file which will allow our remoteuser to su once on the server.
---
- name: My Awesome Playbook
hosts: remote
become: yes
vars_files:
- ~/.ansible/my_vault.yml
vars:
ansible_become_pass: '{{ su_password }}'
roles:
- some_awesome_role
As we are using vault each time we want to run this playbook we need to use the following command.
ansible-playbook myawesome_playbook.yml --ask-vault-pass
You need to create some vaulted variable files and then either include them in your playbooks or on the command line.
If you change your inventory file to use a variable for the become pass this variable can be vaulted:
[my-servers]
san-francisco ansible_host=san-francisco ansible_ssh_user=user ansible_become_pass='{{ sanfrancisco_become_pass }}'
san-diego ansible_host=san-diego ansible_ssh_user=user ansible_become_pass='{{ sandiego_become_pass }}'
Then use ansible-vault create vaulted_vars.yml
to create a vaulted file with the following contents:
sanfrancisco_become_pass: <my_sudo_password_for_user_on_san-francisco>
sandiego_become_pass : <my_sudo_password_for_user_on_san-diego>
Then either include the vaulted file as extra vars like this:
ansible-playbook -i ~/.ansible/inventory/hosts playbook.yml --ask-vault-pass -e@~/.ansible/inventory/vault_vars
Or include the vars file in your playbook with an include_vars task:
- name : include vaulted variables
include_vars: ~/.ansible/inventory/vault_vars