Encrypted Password in Playbook

Archives Ansible Project
1

Hi All,

I am trying to use Ansible vault encrypted password in my playbook and don’t see clear documentation on how to use it.

Here is what I did so far -

In ansible.cfg I have set the ‘vault_password_file’.

I have all my playbooks in a directory called devplaybooks. I have created a sub-directory in devplaybooks directory with name ‘vault’ and executed following command

ansible-vault create passwords

Contents in passwords file : ansible_password= secret123

In my inventory file I have created host vars

[<hostIP>:vars] ansible_user=root ansible_password=!vault

When I execute the playbook it throws up an error

TASK [Gathering Facts] **************************************************************************************** fatal: [<hostIP>]: UNREACHABLE! => {"changed": false, "msg": "Invalid/incorrect username/password. Authentication failed.", "unreachable": true}

When I change the host vars to following the playbook is executing successfully

`
[:vars]
ansible_user=root
ansible_password= secret123

`

Can you please help me figure out my mistake or point me to right documentation. How does my playbook know my password file ?

2

The encrypted value of the variable is missing. See "Use encrypt_string to
create encrypted variables to embed in yaml".
https://docs.ansible.com/ansible/latest/user_guide/vault.html#use-encrypt-string-to-create-encrypted-variables-to-embed-in-yaml

  -vlado

3

Hello Vladimir,

Thanks for your reply.

I am trying to maintain password (encrypted using ansible-vault) and my playbook (clear-text) in separate files. If I understand correctly the below URL is suggesting to encrypt the password string and copy the same in my playbook.

https://docs.ansible.com/ansible/latest/user_guide/vault.html#use-encrypt-string-to-create-encrypted-variables-to-embed-in-yaml

Am I reading this correctly? Please help.

4

Hello Vladimir,

Thanks for your reply.

I am trying to maintain password (encrypted using ansible-vault) and my playbook (clear-text) in separate files. If I
understand correctly the below URL is suggesting to encrypt the password string and copy the same in my playbook.

https://docs.ansible.com/ansible/latest/user_guide/vault.html#use-encrypt-string-to-create-encrypted-variables-to-embed-in-yaml

Am I reading this correctly? Please help.

You can definitely include encrypted_variables in your inventory files, but you need to use YAML syntax.

Regards
         Racke

5

Below is a step-by-step scenario:

1) Let's assume the vault password has bee configured properly (you have set
the 'vault_password_file' in ansible.cfg) . Let's use global variable here.
For example

  $ set | grep VAULT
  ANSIBLE_VAULT_PASSWORD_FILE=/home/admin/.vault_pass.txt

See "Providing Vault Passwords"
https://docs.ansible.com/ansible/latest/user_guide/vault.html#providing-vault-passwords

2) Create a file foo.yml with variable(s). Encrypt the file. See the content.

  $ cat foo.yml
  test_var1: secret
  $ ansible-vault encrypt foo.yml
  $ cat foo.yml
  $ANSIBLE_VAULT;1.1;AES256
  39333766363735373133663263613063313331326263373433353434653566663439623366373338
  6438306562323262363965653336653362616136366439620a326533316463346437373066333433
  30353336623733303762613639636138336666366631386531633064323733313936663831393731
  3036633964323235310a613766346633613765643832306539346137613731663865636564636164
  61303534393363616263666564636366303861623131306536316432383230393736
  $ ansible-vault view foo.yml
  test_var1: secret1

See "Encrypting Unencrypted Files"
https://docs.ansible.com/ansible/latest/user_guide/vault.html#encrypting-unencrypted-files

3) Create inventory (fit the groups and hosts to your needs)

  $ cat hosts
  [test]
  test_01

4) Put the encrypted file into the directory host_vars (fit the host to your
needs)

  $ mkdir -p host_vars/test_01
  $ mv foo.yml host_vars/test_01/

5) Create and run playbook. See the variable was successfully decrypted.

  $ cat test.yml
  - hosts: test_01
    tasks:
    - debug:
        var: test_var1
  $ ansible-playbook test1.yml
  ok: [test_01] => { "test_var1": "secret1" }

There are many variations how-to handle vault variables. If you have troubles
report minimal, complete, reproducible example.

HTH,

  -vlado

6

Hello Vladimir

I have followed exactly same steps mentioned above and I see different errors now.

My steps

  • Set the Ansible Vault password file Env variable
  • Create the vault encrypted file
  • Create directories and copy files in specific location. My dir structure
    playbooks
  • vault
    -testing.yml
    -host_vars
  • 192.168.249.107
  • test.yml

I get following error

Error - ERROR! failed to combine variables, expected dicts but got a ‘dict’ and a ‘AnsibleUnicode’:{} “testing123:sensitive”

When I change the directory structure in host_vars to groupname

playbooks

  • vault
    -testing.yml
    -host_vars
  • ansible_enddevice_2
  • test.yml

I get different message

ok: [ 192.168.249.107 ] => { “testing123”: “VARIABLE IS NOT DEFINED!” }

My inventory file structure

[ansible_enddevice_2]
192.168.249.107

7

Any suggestions would be greatly appreciated.

8

Suggestions please.

9

Ok, I found the solution myself. Group or host variables should have different directory. There is no need of explicit mention such as in the playbook, but create a directory called group_vars or host_vars in the directory where the playbook is placed.

these directories will have files with variables you want to define. File structure should be in yml format.