Forgot to mention this cool trick recently added by Javie Candeira:
https://github.com/ansible/ansible/blob/devel/lib/ansible/runner/lookup_plugins/password.py
This is a lookup plugin that you can use inside variables to generate
and store passwords for you.
If doing this, be sure you guard permissions on the storage directory
closely, and it obviously requires that you run
ansible from the same machine (or otherwise share the storage directory)
Usage for a 30 character password that is unique per host might look like this:
vars:
foo_password: $PASSWORD(/opt/storage/${ansible_hostname}/foo_password,30)
Or just like this in a more simpler form:
vars:
foo_password: $PASSWORD(/opt/storage/foo_password)
The ",30" is optional -- leaving it off uses a default length.
You can use other variables that expand "late" in the storage path to
make the passwords vary by any fact you choose, or you can not use
any variables to set a password that is always the same.
So, basically, anywhere you want, you can use ${foo_password} and it
would be set to a generated password that would not change, unless you
wanted
to go and change it.
I think this is a pretty neat trick.
It only does the one storage medium right now (disk), though once the
ansible-commander project is further along we might tweak it also pull
from a DB
or something. We'll see!
--Michael