Still learning Ansible… but I think this is a feature request / maybe a bug?

Hoping their is a work around.

Goal: Create a user on CentOS host with membership of wheel group, ssh key and use a provided password but NOT store password in plain text within ansible.

I am using vault where I encrypt a password and save it in my global variables file

Ex: /group_vars/all.yml ansible-vault encrypt_string ‘Password’ --name ‘vault_cluster_ssh_password’

Add above output to all.yml and also above it I add a line to create usable variable for username

vault_cluster_ssh: cluster # Account used for inter node cluster tasks
vault_cluster_ssh_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
6439393631386137383264343636323666363931316664323231343363326234633930616437303234613865366366363234

Now… I want to use that in a playbook

• name: Add the user ‘cluster’ with a bash shell, appending the group 'wheel’and generate ssh key for hosts “{{ target_hosts }}”
  user:
  name: ‘{{ vault_cluster_ssh }}’
  shell: /bin/bash
  groups: wheel
  state: present
  generate_ssh_key: yes
  ssh_key_bits: 2048
  ssh_key_file: .ssh/id_rsa
  createhome: no
  password: “{{ vault_cluster_ssh_password | string | password_hash(‘sha512’) }}”

password: ‘{{ Password | string | password_hash(‘sha512’) }}’

The commented line works … but the use of variable does not. All examples I have found still use clear txt passwords to create users which is not allowed and bad form.
What I don’t get is why they are shoving the output directly into 'etc/shadow" if you call to create user… so you have to use password_hash component. Why would the user add module not just call as input parameter your “password variable” and use OS “passwd” binary… why is it shoving things direct into files with manual hash? Their may be reason but this then creates above issue where I cannot call input as variable that leverages standard vault call.

Hoping their is a better way to do this / work around someone has.

Correction:

This was an error where I was trying too many things and did not re-test with all correct variables set.

This does work:
Co-worker pointed out to dump password out as variable and I saw it was read that in wrong as I changed several times to test things

For the benefit of future visitors to this forum / archive, please could you
make clear what you did need to do differently so that things worked as
expected / required.

That way, at least some people will not have to ask the same question again

Thanks,

Antony.

Sorry for not being clear…

What I did … was … nothing. No code change from the code posted.

I use Visual Studio Code … and did not between changes save file before running test… which then got back false “failure”… and do kept trying other things.

The below code works
from global variables file /group_var/all.yml

vault_nut_ssh: nut # Account used for UPS services client and server side
vault_nut_ssh_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
643963626666<snip3330613639316532350a373634653566326338636565346539663366646338303861623030326263
3532

User create… in this case “nut” for ups monitoring.

Setup “nut” user as both client and server need it

• name: Add the user ‘nut’ with a bash shell, appending the group 'wheel’and generate ssh key for hosts “{{ target_hosts }}”
  user:
  name: ‘{{ vault_nut_ssh }}’
  shell: /bin/bash
  groups: wheel
  state: present
  generate_ssh_key: yes
  ssh_key_bits: 2048
  ssh_key_file: .ssh/id_rsa
  createhome: yes
  password: “{{ vault_nut_ssh_password | string | password_hash(‘sha512’) }}”

PS: The web page for Ansible password is still broken

https://docs.ansible.com/ansible/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module

image.png670×389 9.87 KB

That page may have been deprecated cause I believe the same instruction is found in the faqs now.:

https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module