AnsibleUnsafeText as ansible_become_pass variable

HexaOrko · September 22, 2024, 1:37pm

Hi,
i’m unable the solve this and maybe there is no solution.
But i will try to teardown my problem.

Inside my hosts.yaml inventory file i supply the ansible_become_pass value for currently with this:

all:
  vars:
    ansible_become_pass: '{{ system[inventory_hostname|lower].password }}'

This information came from my vault file -e @vault/become_vault.yml
which has this construction:

system:
  my_host:
    password:  mysecret

this works pretty fine for a while now.

But now i want to change this and use a lookup solution for pass, i already use this inside my playbooks.

But it does not work, my query inside my hosts.yaml looks like

ansible_become_pass: "{{ lookup('community.general.passwordstore', 'clients/'+ inventory_hostname|lower + '/ansible_user')}}"

But it does not work as aspected, sudo and doas deny the password.

The only difference i found was that the password from the vault file is type AnsibleUnicodeand this from the lookup is type AnsibleUnsafeText

i guess the problem is how AnsibleUnsafeText is handle as ansible_become_pass

this unsafe tag is according to this a direct consequence from use of a lookup.

i try’d get get rid of this tag, so i can use it as input for ansible_become_pass, but without success.

so hopefully some here as a idea for a solution.

best hexa

felixfontein · September 22, 2024, 2:14pm

Whether the password is marked unsafe or not should not make a difference. So the problem isn’t unsafe, but which part of ansible-core or a become plugin / something else inbetween screws this up. Could you provide information on how you use it so it results in a failure?

HexaOrko · September 23, 2024, 8:51pm

Thank you for pushing me to try create a isolated example of this issue.
I’m unable to recreate this problem, with other words … now it works without any problem.

I’m not sure whats happend, maybe just late night related issues.
Thanks and sorry for the noize.