ansible_ssh_pass and ansible_become_pass in non interactive way

Archives Ansible Project
1

Im currently working on ansible to automate few server infrastructure activities, i would like to specify --ask-pass and—ask-become-pass for Ansible in non-interactive way.

My Scenario:

  • when i run the below command, I’m getting the expected output after manually providing the SSH and BECOME password.

ansible-playbook ping.yml --ask-pass --ask-become-pass -i hosts -c paramiko

  • when i tried executing the below command by placing the ansible_ssh_pass and ansible_become_pass details in inventory file, it works fine in non interactive way.

ansible-playbook ping.yml -i hosts -c paramiko

$ ansible-playbook ping.yml -i hosts -c paramiko

PLAY [all] *******************************************************************************************

TASK [Gathering Facts] *******************************************************************************************

ok: [*************.com]

TASK [ping] *******************************************************************************************

ok: [*************.com]

PLAY RECAP *******************************************************************************************

**************.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

but in the above method the credentials are exposed and I feel it is not a best practice. Is there any possible way to handle both the ansible_ssh_pass and ansible_become_pass in non interactive way other than having the credential details in inventory file?

Ansible version : 2.9.9

OS : Linux

2

Use a vaulted file with the variables or inline vaults.

https://docs.ansible.com/ansible/latest/user_guide/vault.html

3

Im currently working on ansible to automate few server infrastructure
activities, i would like to specify --ask-pass and—ask-become-pass for Ansible
in non-interactive way.

Same here...

• when i tried executing the below command by placing the ansible_ssh_pass
   and ansible_become_pass details in inventory file, it works fine in non
   interactive way.

ansible-playbook ping.yml -i hosts -c paramiko

[...]

but in the above method the credentials are exposed and I feel it is not a
best practice.

If you control your inventory files via git or other other version control
systems its a no-go to store the plain text password in the inventory file.

Is there any possible way to handle both the ansible_ssh_pass
and ansible_become_pass in non interactive way other than having the
credential details in inventory file?

See for example here:

<https://theorangeone.net/posts/ansible-vault-bitwarden/#setting-up-ansible&gt;

There ansible vault is used or, and thats the way we want to do it,
Bitwarden as an external source for sensible data. I've also managed to
crypt sensible information with sops, thats another possebility if ansible
vault can not be used or don't want to be used.

Unfortunatly there seems to be a bug in ansible versions <2.10.8 where
reading out the ansible_become_pass via a script seems not to work, at least
I can not get it to run as described on the page mensioned above.

In my ansible.cfg file I have the following:

[default]
...
become_pass_file = ./become-password.sh

The become-password.sh script, which is stored in the same directory as the
ansible.cfg file and which has the permissions to be executed, looks like
this: