CODEWITHSUNDEEP
ansibleansible-vault
Lord M
Lord M

Reputation: 127

How can I specify multiple users and passwords in Ansible vault file?

I have created hosts:

sudo cat /etc/ansible/hosts
[Prospectorium]
192.168.1.50
[Scholarium]
192.168.1.60
[Bulwark]
192.168.1.70

And a playbook that should update those servers:

sudo cat /home/overlord/ansible/apt.yml
- hosts: all   become: yes   tasks:
  - name: Update and upgrade apt packages.
    apt:
      update_cache: yes
      upgrade: full
      autoremove: yes
      autoclean: yes
      cache_valid_time: 43200

Each of those 3 hosts has a different username and password:

prospectorium
prospectorium123

scholarium
scholarium123

bulwark
bulwark123

So now my question: How can I securely pass login information when I run a playbook?

I tried creating a vault file, but that can contain only one password and no username, so that is not applicable to me.

Upvotes: 3

Views: 3827

Answers (1)

Vladimir Botka
Vladimir Botka

Reputation: 68034

There are more options. You might want to try the host_vars and group_vars first.

  1. host_vars

It seems the symbolic names are the names of the hosts rather than the names of the groups. See Inventory basics: formats, hosts, and groups. In this case, the inventory file might be

shell> cat hosts
Prospectorium ansible_host=192.168.1.50 ansible_user=prospectorium
Scholarium ansible_host=192.168.1.60 ansible_user=scholarium
Bulwark ansible_host=192.168.1.70 ansible_user=bulwark

Put the passwords into the host_vars

shell> cat host_vars/Prospectorium.yml 
ansible_password: prospectorium123

shell> cat host_vars/Bulwark.yml 
ansible_password: bulwark123

shell> cat host_vars/Scholarium.yml 
ansible_password: scholarium123

Test it

shell> ansible-inventory -i hosts --list --yaml
all:
  children:
    ungrouped:
      hosts:
        Bulwark:
          ansible_host: 192.168.1.70
          ansible_password: bulwark123
          ansible_user: bulwark
        Prospectorium:
          ansible_host: 192.168.1.50
          ansible_password: prospectorium123
          ansible_user: prospectorium
        Scholarium:
          ansible_host: 192.168.1.60
          ansible_password: scholarium123
          ansible_user: scholarium

Encrypt the passwords if this is what you want to. See details in Encrypting content with Ansible Vault

shell> ansible-vault encrypt host_vars/Prospectorium.yml 
Encryption successful

shell> ansible-vault encrypt host_vars/Scholarium.yml
Encryption successful

shell> ansible-vault encrypt host_vars/Bulwark.yml
Encryption successful

You can see that the files were encrypted and the ansible-inventory command shows the same result.

shell> cat host_vars/Prospectorium.yml 
$ANSIBLE_VAULT;1.1;AES256
64316362396261663735333239653163366630313463636262393735356139376536346665383334
3865663166623862363832326231363362666263643536390a396239373737363133313332623539
...

Test the structure in a playbook. For example, the playbook below

shell> cat pb.yml
- hosts: all
  gather_facts: false
  tasks:
    - debug:
        msg: |-
          ansible_user: {{ ansible_user }}
          ansible_password: {{ ansible_password }}

gives

shell> ansible-playbook -i hosts pb.yml 

PLAY [all] ***********************************************************************************

TASK [debug] *********************************************************************************
ok: [Prospectorium] => 
  msg: |-
    ansible_user: prospectorium
    ansible_password: prospectorium123
ok: [Scholarium] => 
  msg: |-
    ansible_user: scholarium
    ansible_password: scholarium123
ok: [Bulwark] => 
  msg: |-
    ansible_user: bulwark
    ansible_password: bulwark123

PLAY RECAP ***********************************************************************************
Bulwark                    : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
Prospectorium              : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
Scholarium                 : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

You can add other variables into the encrypted files in host_vars if you want to.

  1. group_vars

An elegant option is putting the data into the group_vars/all.yml. For example

shell> cat group_vars/all.yml
passwords:
  Bulwark: bulwark123
  Prospectorium: prospectorium123
  Scholarium: scholarium123

users:
  Bulwark: bulwark
  Prospectorium: prospectorium
  Scholarium: scholarium

ansible_password: "{{ passwords[inventory_hostname] }}"
ansible_user: "{{ users[inventory_hostname] }}"

Encrypt group_vars/all.yml

shell> ansible-vault encrypt group_vars/all.yml
Encryption successful

Remove the host_vars and users from hosts

shell> cat hosts
Prospectorium ansible_host=192.168.1.50
Scholarium ansible_host=192.168.1.60
Bulwark ansible_host=192.168.1.70

The same playbook gives the same result

shell> ansible-playbook -i hosts pb.yml 

PLAY [all] ******************************************************************************************

TASK [debug] ****************************************************************************************
ok: [Prospectorium] => 
  msg: |-
    ansible_user: prospectorium
    ansible_password: prospectorium123
ok: [Scholarium] => 
  msg: |-
    ansible_user: scholarium
    ansible_password: scholarium123
ok: [Bulwark] => 
  msg: |-
    ansible_user: bulwark
    ansible_password: bulwark123

PLAY RECAP ******************************************************************************************
Bulwark                    : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
Prospectorium              : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
Scholarium                 : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
  1. vars

You can put the variables into any file you want to and include them in a playbook. For example, remove all the host_vars and group_vars from the previous examples and put the file into the directory vars

shell> cat vars/ansible_ssh_vars.yml
passwords:
  Bulwark: bulwark123
  Prospectorium: prospectorium123
  Scholarium: scholarium123

users:
  Bulwark: bulwark
  Prospectorium: prospectorium
  Scholarium: scholarium

ansible_password: "{{ passwords[inventory_hostname] }}"
ansible_user: "{{ users[inventory_hostname] }}"

Encrypt the file

shell> ansible-vault encrypt vars/ansible_ssh_vars.yml 
Encryption successful

Include the file in a playbook. For example, the playbook below gives the same result

shell> cat pb.yml
- hosts: all
  gather_facts: false
  vars_files:
    - vars/ansible_ssh_vars.yml
  tasks:
    - debug:
        msg: |-
          ansible_user: {{ ansible_user }}
          ansible_password: {{ ansible_password }}

Upvotes: 4

Related Questions