Update Ansible password inside an ansible run

Hi,
i try to update the password of the ansible user, which works, but after updateing the password the next step failed because Authentication failed.
I tried to update ansible_become_password but maybe it can not be updated on runtime?

here are the relevant parts of my playbook

    - name: "Generate an ansible secret for host {{ new_hostname }}"
      ansible.builtin.set_fact:
        new_ansible_password: "{{ lookup('ansible.builtin.password', '/dev/null', length=32) }}"

    - name: Insert or Update ansible password inside passwordstore
      ansible.builtin.set_fact:
        pass_storage: "{{ lookup('community.general.passwordstore', 'clients/'+ new_hostname  +'/ansible_password', userpass=new_ansible_password, preserve=false, overwrite=true, create=true, timestamp=false) }}"

    - name: Set new ansible password on system
      ansible.builtin.user:
        name: ansible
        password: "{{ new_ansible_password | password_hash('sha512', password_salt) }}"
        state: present

    - name: Update ansible_become_password to new password
      ansible.builtin.set_fact:
        ansible_become_password: "{{ new_ansible_password }}"


    - name: "Force password change for {{ my_user }}"
      ansible.builtin.shell: chage -d 0 "{{ username }}"
      when: adduser.changed

    - name: create ssh related user folder
      ansible.builtin.file:
        path: "/home/{{username}}/.ssh/"
        state: directory

unfortunately this does not work, i get following output

TASK [Generate a ansible secret for host deploy-test] **************************************************
ok: [vm_provision]

TASK [Insert or Update ansible password inside passwordstore] ******************************************
ok: [vm_provision]

TASK [Set new ansible password on system] **************************************************************
[DEPRECATION WARNING]: Encryption using the Python crypt module is deprecated. The Python crypt module
is deprecated and will be removed from Python 3.13. Install the passlib library for continued
encryption functionality. This feature will be removed in version 2.17. Deprecation warnings can be
disabled by setting deprecation_warnings=False in ansible.cfg.
changed: [vm_provision]

TASK [Update ansible_become_password to new password] **************************************************
ok: [vm_provision]

TASK [Force password change for HexaOrko] ***************************************************************
skipping: [vm_provision]

TASK [create ssh related user folder] ******************************************************************
fatal: [vm_provision]: FAILED! => {"changed": false, "module_stderr": "Warning: Permanently added '192.168.1.254' (ED25519) to the list of known hosts.\r\nConnection to 192.168.1.254 closed.\r\n", "module_stdout": "\r\r\ndoas: Authentication failed\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

I do similar operations frequently with network devices, the only difference being is that there is no use for ansible_become_password, so I am typically updating ansible_password. I would suggest trying that, as you have to get through SSH authentication first, either with a key or a password, before you can even think about using the privilege escalation command. And from my limited server management experience, issues with the become method usually have more of a hint that you are having a problem with sudo, or whatever the become method is.

Another thing that has been helpful to me when doing bootstrap type operations where I actually switch the ansible_connection type was issuing an ansible.builtin.meta: reset_connection, but that doesn’t seem like it would apply here.

I guess i found the problem, there is a inaccuracy, according to the ansible docs the variable name to use for example inside a inventory is ansible_become_password
(and there it works)
but i also found hints that the name inside the play is simply ansible_pass, but when i look at the source of truth the correct variable inside the play seams to be ansible_become_pass

so lets do a quick test

- name: quick and dirty test
  debug:
    msg:
      - "ansible_become_password: {{ ansible_become_password|default('does not exits') }}"
      - "ansible_become_pass: {{ ansible_become_pass|default('does not exits')}}"
      - "ansible_pass: {{ ansible_pass|default('does not exits')}}"

and yes this looks better

TASK [quick and dirty test] ***************************************************
ok: [vm_provision] => {
    "msg": [
        "ansible_become_password: does not exits",
        "ansible_become_pass: my-secret-password",
        "ansible_pass: does not exits"
    ]
}

The first documentation link includes the note:

The variables defined above are generic for all become plugins but plugin-specific ones can also be set instead. Please see the documentation for each plugin for a list of all options the plugin has and how they can be defined. A full list of become plugins in Ansible can be found at Become plugins.

It’s ultimately up to the become plugin which variables are used. Here’s the full list for the sudo become method, for example ansible.builtin.sudo become – Substitute User DO — Ansible Community Documentation (which does support an ansible_sudo_pass but not ansible_pass). PlayContext is not the source of truth, the variables are determined from the plugin here.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.