Become password via vault not being picked up

Bor · December 13, 2023, 4:57pm

I have two issues here. One is my ansible.cfg which I can work around by adding them in my playbook. The other issue with the playbook is that I would like to run a playbook without having to enter any password at all. Imagine I cannot use ssh keys, I need to specify a user other than the one I am logged in with. And I cannot use sudo, and I need to use method su.

become_method = su
become_user = root

In my ansible.cfg under [defaults] does not seem to work anymore. I am sure it worked in older Ansible versions. I looked it up on ansible docs and its unclear to me whether that has changed to default_become_*? Either way (i tried both) it doesn’t seem to work anymore.

So, work around that, I add it to a simple playbook to test something that should be trivial.

My inventory.ini:

[puppetmaster]
puppet.lab.domain.net

[puppetmaster:vars]
ansible_ssh_user="{{ vault_ansible_ssh_user }}"
ansible_ssh_pass="{{ vault_ansible_ssh_pass }}"
ansible_become_password="{{ vault_ansible_become_pass }}"

My playbook to test things out:

---
- hosts: puppetmaster
  gather_facts: true
  become_method: su
  become_user: root

  vars_files:
    ../personal.yml

  tasks:
    - name: test
      command: id
      register: noroot

    - name: root test
      command: id
      become: true
      register: root
      ignore_errors: true

    - name: debug
      debug:
        msg: "{{ noroot.stdout }}"

    - name: debug root
      debug:
        msg: "{{ root.stdout }}"
      ignore_errors: true

Finally, redacted:

$ ansible-vault view ../personal.yml 
---
vault_ansible_ssh_user: 'test'
vault_ansible_ssh_pass: 'password123'
vault_ansible_become_pass: 'rootpw123'

The output of the playbook shows that noroot is the id of test. So the ssh login seems to work fine.

However, the test as root always comes back as follows:

TASK [root test] **************************************************************
Wednesday 13 December 2023  17:07:29 +0100 (0:00:00.457)       0:00:02.693 **** 
fatal: [puppet.lab.domain.net]: FAILED! => 
  msg: Incorrect su password
...ignoring

I tried specifying it on the command line with -e ansible_become_password="{{ vault_ansible_become_pass }}" but that doesn’t pick it up correctly either.

I thought I had done this before in a similar manner, but I can’t seem to work out how to get Ansible to pick up the become password so that I can run something completely without entering any passwords.

I tested the password to be correct by letting Ansible ask for it, -Kk. I specify the ssh and become passwords and it works fine.

Any ideas please, why this isn’t working as I expect?

Thanks!

Bor · December 15, 2023, 2:21pm

Got it working. I moved the inventory.ini vars to host_vars, but I was also dealing with 1 host that had an incorrect root password (should have been puppet managed but the host was in noop) and for yet another host I had a typo in a password in the vault.

Several issues at once but got it sorted .

system · January 14, 2024, 2:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.