read password from a variable

Archives Ansible Project
1

While sourcing a profile file , I have to enter a password in my play.

my_pwd: hiddenpass

- name: source the environment variable file
shell: " source ./myenv"

while executing i am prompted with a password
so I am using the expect module to pass the password

name: Case insensitive password string match
ansible.builtin.expect:
command: source ./myenv
responses:
(?i)password: “{{ my_pwd }}”
# you don’t want to show passwords in your logs
no_log: true

it fails with below error:
fatal: [127.0.0.1]: FAILED! => {
“censored”: “the output has been hidden due to the fact that ‘no_log: true’ was specified for this result”,
“changed”: false
}

if i set no_log: false , then i receive the below error
“msg”: "Failed to import the required Python library (pexpect)

Is there any other way/module to read the password from the variable ?

2

I am not sure, but am wondering whether maybe the remote host needs to be able to import the required Python library (pexpect) for this to work … can that be it?

3

You can try this one

  • name: Prompt for password
    vars_prompt:

  • name: my_pwd
    prompt: “Enter your password”
    private: true

  • name: Source the environment variable file
    shell: “source ./myenv”

  • name: Retrieve password from Ansible Vault
    shell: “ansible-vault view my_password_file --vault-password-file ~/.vault_pass.txt”
    register: password_output

  • name: Source the environment variable file
    shell: “source ./myenv”
    environment:
    MY_PASSWORD: “{{ password_output.stdout }}”

Avinash Jadhav

Is there any other way/module to read the password from the variable ?

Yes, there are several ways to read a password from a variable in a secure manner. One common method is to use the getpass module in Python.

The getpass module provides a way to securely prompt the user for a password without echoing the characters typed to the screen. Here’s an example of how to use it:


python
import getpass

password = getpass.getpass(prompt='Enter your password: ')

When this code runs, the user will be prompted to enter their password, but the characters they type will not be displayed on the screen. The password will be stored in the password variable.

Another way to securely store passwords is to use an encryption library like cryptography or pycryptodome. These libraries provide methods for encrypting and decrypting sensitive information, including passwords.

However, it’s important to keep in mind that no method is 100% foolproof, and there is always some risk involved when handling sensitive information like passwords. It’s always a good idea to follow best practices for password security, such as storing passwords in a secure password manager, using strong and unique passwords, and using two-factor authentication whenever possible.

Avinash Jadhav

Is there any other way/module to read the password from the variable using the Ansible

Yes, there are several ways to securely read a password from a variable in Ansible. Here are some options:

  1. Ansible Vault: Ansible Vault is a built-in feature that allows you to encrypt sensitive data, such as passwords and keys, in your inventory or playbook files. You can use the ansible-vault command to encrypt and decrypt files containing sensitive data. To read the password from an encrypted variable, you can use the ansible-vault command to decrypt the file containing the variable and then read the variable value.

  2. Ansible Credential Plugin: Ansible has a built-in credential plugin system that allows you to securely store and retrieve credentials, such as passwords and keys, from a variety of sources, including Hashicorp Vault, CyberArk, and more. To use a credential plugin to read a password from a variable, you can define the credential in your inventory or playbook and then use the lookup function to retrieve the password.

  3. Environment Variables: You can store sensitive data, such as passwords and keys, in environment variables and then read the variable value in your playbook using the lookup function. To ensure the security of the password, you should encrypt the environment variable using an external tool, such as ansible-vault or a third-party encryption tool.

  4. Python Script: You can write a custom Python script that reads the password from a file or another secure source, and then use the script module in Ansible to run the script and retrieve the password value.

Each of these options has its own pros and cons, so it’s important to choose the one that best suits your use case and security requirements.

Avinash Jadhav

my_pwd: hiddenpass - name: source the environment variable file shell: " source ./myenv" while executing i am prompted with a password so I am using the expect module to pass the password name: Case insensitive password string match ansible.builtin.expect: command: source ./myenv responses: (?i)password: “{{ my_pwd }}” # you don’t want to show passwords in your logs no_log: true it fails with below error: fatal: [127.0.0.1]: FAILED! => { “censored”: “the output has been hidden due to the fact that ‘no_log: true’ was specified for this result”, “changed”: false } if i set no_log: false , then i receive the below error “msg”: "Failed to import the required Python library (pexpect) Is there any other way/module to read the password from the variable ?

Yes, there are other ways to read a password from a variable in Ansible without using the expect module.

One way is to use the vars_prompt module to prompt the user for the password at runtime. Here’s an example:


yaml
- name: Prompt for password
  vars_prompt:
    - name: my_pwd
      prompt: "Enter your password"
      private: true

- name: Source the environment variable file
  shell: "source ./myenv"

When this playbook runs, the user will be prompted to enter their password, and the value will be stored in the my_pwd variable. The private: true option ensures that the password is not displayed on the screen as it is being entered.

Another option is to store the password in an encrypted file using Ansible Vault and then use the ansible-vault command to retrieve the value at runtime. Here’s an example:

4

Its a problem with “pexpect” module requirement and it worked after “pip3 install pexpect”.
However , now “source ./myenv” is not working

msg": “The command was not found or was not executable: source”

Since source is a shell inbuilt command . Is there a way to overcome it ?
I tried multiple options …

@avinash : Please re-format your above post with indent

Also … when the command runs “source ./myenv” , it waits for the password.

because the file myenv is written to accept password before sourcing.

so i have to read the password which is already stored in {{ my_pwd }} . here password_output.stdout is my my_pwd
do you mean MY_PASSWORD is a variable to me from my myenv file ?

  • name: Source the environment variable file
    shell: “source ./myenv”
    environment:
    MY_PASSWORD: “{{ password_output.stdout }}”
5

"source" is a Bash built-in, but are you sure the remote machine is using Bash
as its shell?

If it's a modern Debian (ore derivative) machine and it's using /bin/sh,
that's Dash, not Bash, and Dash does not have the "source" command.

Antony.

6

Even if it worked, its effects will go away as soon as the shell running it closes. It won’t persist to another task.

7

Yes… I uses Ubuntu 22 . but when executed manually source exists.
Failing when called through the playbook with the mentioned error.

@Todd Will it exists until the next play executes in the same playbook ?
I required the processed source variables for the next play(only ) .