Ansible – Creating playbook that sets user password to vault stored variable

This will use ansible vault that allows the storage of sensitive information in an encrypted state within playbooks.

Step 1 – create password that is stored in ansible vault

mkdir -p ~/ansible/vault
touch ~/ansible/vault/N0s3kr1t
cd ~/ansible/vault

## encrypt secret file and prompts for a password 

ansible-vault encrypt N0s3kr1t

## run the following after installing passlib to create hash value of password:
pip install passlib
python -c "from passlib.hash import sha512_crypt; import getpass; print(sha512_crypt.using(rounds=5000).hash(getpass.getpass()))"

example output: $6$T7vpO60Gvn478QzE$B7UXoVThsoBwFzWvrY5yFyLHsOVgw89QPC.uB1N6DPuCHZzQnfTcyCVg1Er/B/jkmApvvQbOJTHfwEVQlEFik.

## add password to vault file 
ansible-vault edit N0s3kr1t

## N0s3kr1t file contents after edit - adjust to your requirements
userName: greplog
userPass: $6$T7vpO60Gvn478QzE$B7UXoVThsoBwFzWvrY5yFyLHsOVgw89QPC.uB1N6DPuCHZzQnfTcyCVg1Er/B/jkmApvvQbOJTHfwEVQlEFik.

Step 2 – create playbook that changes user’s password to stored value

## make changePassword.yml  - located in ~/ansible
---
- hosts: devSys
  vars_files:
  - vault/N03kr1t
  tasks:
  - name: update user password
    user: 
      name: "{{userName}}"
      update_password: always
      password: "{{userPass}}"

Step 3 – run playbook

# Option 1 - prompt for pass at playbook run
ansible-playbook changePassword.yml --ask-vault-pass
# Option 2 - uses password file - this is stored plain txt (not nearly as secure)
ansible-playbook changePassword.yml --vault-password-file ~/.pwd

Leave a comment

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax