I have a playbook with different plays. Some plays are run with a specific user, for which we cannot set keys, and also does sudo to another user. The other plays, use a regular user, for which there are ssh keys.
My issue is that for the firs play, I need to run "ansible-playbook -Kk", but I want the rest of the plays to be ran with ssh key. It fails because it tries to use the password given early...
Is there a way to make specific plays to prompt for password, like -kK would do?
Thanks.
Not right now.
However it’s the very very first time I was asked this, so I imagine some other people may have suggestions and I’d want to explore before we got into making features or syntax suggestions out of it.
Running it in two seperate plays is one somewhat clear solution.
–Michael
I have this issue when I provision a node for the first time. By default, the nodes come up with password required for sudo and without ssh keys.
I have a role called “nopasswd” that copies a public key into an account with sudo privileges and adds a file to /etc/sudoers.d that allows passwordless sudo for that account.
I do what Michael mentioned, I run a playbook with -kK args with the nopasswd role, and after that I just run my other playbooks with -kK.
Lorin
I have same type of needs as Yves (and Lorin) and currently using separate playbooks (as Lorin).
Same use case: populate the ssh key after that requires sudo that requires setting the sudo conf like
putting some account in the wheel group.
This is because per my current understanding:
user/sudo are specified at Play level
CLI supplied passwd/user are for an entire playbook, that is for all the play in the playbook
Phil.
So if you are managing the system and installing the SSH key, wouldn’t it be ok if the rest of the play continued to use the password?
I’m open to a sort of play parameter to override the default ask_sudo_pass and ask_pass but want to make sure we understand use cases first.
attempt at describing the use case:
that brings ansible and run a playboook (local ony) as root doing various needed adjustments
that also creates a well-known user with a well known passwd
OK can assume the account being in the wheel group/ so can sudo
Play 0: trigger Stage 1 above - waiting for completion
Play 1:
Can remotely log into the system (via the well known account) - use the passwd
install the ssh key into a new real user that is also created
can put that new user in wheel group to
Play 2:
log to same host via ssh key
remove the well known account
From there the system is ready to do whatever task is needed via playbooks only needed ssh key
Hope it clarify - may be there’s a better way ?
I would be very tempted to have Cobbler install the authorized key in %post in this case, which saves the complexity of setup.
You could even use different profiles in cobbler to pick different keys.
not necessarely having the control of the available cobbler service or profile definition.
just being able to pxe boot
so depends on what the profile is providing
If the cobbler controlling team would be nice you could ask them to tweak the kickstart for you 
For my personal case, I was thinking more along the lines of trying to use ssh keys, UNLESS a particular play specifies ask_sudo_pass / ask_pass.
So...
- host: hosts_for_play1
ask_pass
roles:
- host: hosts_for_play2
roles:
Here the password would be used for play1, but ansible would try to use an ssh key for play2 and the next ones.