Hello!
I have a single playbook that with various plays in it.
It goes out to different environments, either dev, uat, or prod (based on the --extra-vars input by the user deploying the playbook).
i.e. ansible-playbook -i hosts deploy.yml --extra-vars “env=uat”
Is there anyway I can set the ansible-playbook to require a password if a user selects the prod environment?
They should be allowed to deploy to dev and uat without any authentication or passwords.
Thanks
JS
Since you use Pathword in the subject I guess you are after an hurdel so users don't accidentally run against production?
If so, you can do something like this:
- pre_tasks:
- pause:
prompt: "You are running against production. What is the magic word?"
register: result
when: env == 'prod'
- fail:
msg: "Aborting, wrong magic."
when: result.user_input | default('') != 'answerable' and env == 'prod'
If not you could use password against production and keys on the other environments.
What about not putting the users keys onto the production servers?
Hi Kai
Fantastic, many thanks for your reply!
I’ll give your play shot (I prefer having the keys setup as I have also made the playbooks available via Jenkins for automation!) and if that doesn’t work I’ll use the password authentication for Prod and Keys for the other environments!
Regards
JS
Hi Dick
Fantastic, many thanks for your reply!
I’ll give Kai’s play above a shot (I prefer having the keys setup as I have also made the playbooks available via Jenkins for automation!) and if that doesn’t work I’ll use the password authentication for Prod and Keys for the other environments!
Regards
JS
Just starting to use Ansible but wouldn't this be better solved using a separate ssh key for prod systems that requires a password that only authorized personnel have access to and loading that key into ssh agent before running plays? Depending on you naming scheme, you may even be able to specify production hosts via wildcard in ~/.ssh/config file. This not only limits the ability to push to production but adds additional security.
Note: Ansible's user module can be used to push out new ssh authorized keys.
Apologies if this solution is off the mark but my background is in information security.
Hi Kai
Thanks for that - it worked like a charm on the CLI!
pre_tasks:
pause:
prompt: “You are running against production. What is the magic word?”
register: result
when: env == ‘prod’fail:
msg: “Aborting, wrong magic.”
when: result.user_input | default(‘’) != ‘answerable’ and env == ‘prod’
I’ve integrated the playbook with Jenkins - so it doesn’t work on there. I get the following error: [WARNING]: Not waiting from prompt as stdin is not interactive
But I suppose that’s not a problem as we can run DEV/UAT via Jenkins (GUI) and the PROD environment via CLI.
ansible-playbook isnt really the right tool for writing interactive tooling. There is some very limited support for it
but it is not a good approach.
Some of the previous mentioned suggestions (password protected prod only ssh keys and ssh-agent…) will be
more useful in the long run. Or using a wrapper script to handle the interactivity if required.
But avoid trying to use ansible as an interactive tool.