Ansible Vault - store credentials for all hosts in one vault file

Hello everyone.

Is there any way how to store credentials in one Vault file, so that these credentials are applied for each host?

For example, when I create group_vars/all.yml and store creds here and then execute playbook with --limit=single_host, these credentials are not applied. I probably would have to create vault file for each host, but that’s crazy when you have thousands of servers.

The goal is to stop Ansible execution once you put wrong ssh password. Right now, Ansible tries to connect with wrong password, it fails, and our SIEM detects this as attack and locks the account instantly.

Or is there any alternative way how to prevent this from happening?

Thanks in advance.

You can try to add “serial: 1” to your play in your playbook so if it fails to ssh to first host, it won’t try to connect to the 2nd host.
By default, it tries to connect 5 hosts at a time and usually that is enough to trigger the account to be locked.

Regards,
Tony Chia

Libor,

I think what you are asking is if you can do something like this?

host1 password123
host2 password456
host3 password789

If so, then sure. Just put it in a tab-separated file and encrypt it with ansible-encrypt and use it like you would any other variables. You could probably use the csvfile module to call column 1 for user, column 2 for password.