How to store ansible_become_pass in a vault and how to use it?

The best way to solve this problem is to use host_vars. The easiest setup is to just put the ansible_become_pass in Vault encrypted files in the corresponding host_vars directories like this:

myplaybook.yml
host_vars/onehost.com/crypted
host_vars/otherhost.com/crypted

In the crypted files you place the assignment of the ansible_become_pass variable:

ansible_become_pass: SuperSecre3t

Create the file with ansible-vault create, edit it with ansible-vault edit.

Following the advice in the Ansible docs you need to create an additional file per host that assigns the ansible_become_passwd from the crypted variable that has a different name. That way it is possible to search for the ansible_become_passwd in the project files.

myplaybook.yml
host_vars/onehost.com/plain
host_vars/onehost.com/crypted
host_vars/otherhost.com/plain
host_vars/otherhost.com/crypted

where a plain file contains something like this:

ansible_become_pass: "{{ vaulted_become_pass }}"

and the crypted file sets the vaulted_become_pass like shown above.

All crypted files must be encrypted with the same key and ansible-playbook must be called with --ask-vault-pass.


After setting up an inventory with your own relevant settings. These settings assume that you have already set up a rsa-key pair to access your server. You should be able to ssh into your server with ssh [email protected]

[local]
localhost    ansible_connection=local

[remote]
155.42.88.199   ansible_connection=ssh    ansible_user=remoteuser ansible_become_user=root ansible_become=yes  ansible_ssh_private_key_file=<private_key_file_path>

You need to store your root password in a file (I called mine 'my_vault.yml'). You can do this with the following command:

~/.ansible$ ansible-vault create my_vault.yml

Simple store your remote server password as follows (do not include the '<>' tags)

su_password: <myreallyspecialpassword> 

The password will now be encrypted by vault and the only way to view this is to enter the following command.

~/.ansible$ ansible-vault edit my_vault.yml

We now need to include our 'my_vault.yml' file in our playbook. We can do this by using vars-files to get the value of su-password. We can now create a var titled ansible_become_pass which will be passed the value from our my_vault.yml file which will allow our remoteuser to su once on the server.

---
- name: My Awesome Playbook
  hosts: remote
  become: yes

  vars_files:
    - ~/.ansible/my_vault.yml 

  vars:
    ansible_become_pass: '{{ su_password }}'

  roles:
      - some_awesome_role

As we are using vault each time we want to run this playbook we need to use the following command.

ansible-playbook myawesome_playbook.yml --ask-vault-pass

You need to create some vaulted variable files and then either include them in your playbooks or on the command line.

If you change your inventory file to use a variable for the become pass this variable can be vaulted:

[my-servers]
san-francisco ansible_host=san-francisco ansible_ssh_user=user ansible_become_pass='{{ sanfrancisco_become_pass }}'
san-diego     ansible_host=san-diego     ansible_ssh_user=user ansible_become_pass='{{ sandiego_become_pass }}'

Then use ansible-vault create vaulted_vars.yml to create a vaulted file with the following contents:

sanfrancisco_become_pass: <my_sudo_password_for_user_on_san-francisco>
sandiego_become_pass    : <my_sudo_password_for_user_on_san-diego>

Then either include the vaulted file as extra vars like this:

ansible-playbook -i ~/.ansible/inventory/hosts playbook.yml --ask-vault-pass -e@~/.ansible/inventory/vault_vars

Or include the vars file in your playbook with an include_vars task:

- name        : include vaulted variables
  include_vars: ~/.ansible/inventory/vault_vars