I am doing Network Automation where we have different flavour of devices like Netscaler, Cisco, Juniper, Fortigate etc.
This is DevOps at its best where we will put host details like IP’s, user name and password into the inventory file on ansible machine and then create playbooks to carry out use cases like update ssl certficates on all devices, rolling updates etc.
I need help on designing how to save and secure sensitive details w.r.t. host machines like user name and passwords.
Currently I am encrypting inventory file with ansible-vault using --ask-vault-pass and --vault-password-file options but both of them fails when I run playbooks with nitro api’s
with error as:
localhost]: FAILED! => {“changed”: false, “msg”: “nitro exception during login. errorcode=354, message=Invalid username or password”}
basically it does not accept encrypted password, same playbook works when I try un-encrypted host file.
Second problem is lets assume it works and then I have this vault-password file with plain text so how to push it to hashicorp vault. I am planning to use vault write command to save this vault password file to path and then use lookup modules to read secret.
Is it justified to have two vaults to save passwords or should I straight away save my inventory file in hashicorp vault and run ansible-playbook command pointing to that inventory. Glad if someone can share code or command snippets to explain.