looking for advice on storing connection passwords

Archives Ansible Project
1

So we have some windows machines, and right now, we have this in our /etc/ansible/hosts file:

[windows:vars]
ansible_connection=winrm
ansible_user=AdminAccount
ansible_password=AdminPassword
ansible_winrm_transport=ntlm
ansible_winrm_server_cert_validation=ignore

Obviously that’s not the best idea.

My goal would be this:

  1. Have the above lines in a group-vars file /etc/ansible/group_vars/windows/connection.yaml
  2. ansible-vault-encrypt that file
  3. Somehow have ansible recognize/know/understand that IF AND ONLY IF I need to access this file because I called a host in that group THEN it should act as though I had passed the --ask-vault-pass option.

Is that number 3 possible, somehow attach an --ask-vault-pass flag to a specific host group?

Another option which my co-worker discovered is that you can leave out the password from the vars file, and use the -k flag to ask for it. Same question – can I somehow attach a -k flag to specific hosts that always need it, without imposing on hosts/playbooks that don’t?

Thanks.

–EbH

2

Recent versions of Ansible should only load a group_vars file if
needed, but a problem is that a hostvars['windowsmachine'] reference
will also load that file (as it needs the vars for that host), even if
you are not directly connecting to it.

As for the -k flag, there is a configuration entry for it, but there
is no 'per host' as it is a global and has to prompt before starting
the plays and the host loop.

Another option is vaulting the inventory file itself.

Also, look into AWX/Tower, it provides a full RBAC system and credential safety.

3

I suggest you vault your connection.yaml file and set a relative location for the vault password file in your ansible.cfg like this

vault_password_file = ~/.vault

This at least lets you keep encrypted password on disk - anyone with the vault password file has access to the hosts they need.

You may well want to limit the ‘blast radius’ by using different vault keys for different environments.

Another option if you have kerberos / active directory in your environment is to acquire a kerberos ticket when the user logs in (either because the host is set up to authenticate against active directory, or via a login script that runs kinit) and then configure ansible to use the ‘ambient’ ticket by setting ansible_winrm_kinit_mode to manual, as mentioned here: https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#kerberos

That way. you wouldn’t need to store a password for the windows hosts.

Hope this helps,

Jon