Using raw passwords with ansible_password directly in playbooks deprecated?

Matt_Miller · October 30, 2020, 4:14pm

The reasoning behind not revealing username/passwords directly in playbooks is obvious and speaks for itself.

However, I am calling playbooks from an application that includes credential security/management, and provides credentials at runtime.

For this reason, including ansible_user/ansible_password directly in our playbook invocations works well.

My question …

I seem to recall seeing something about this method of providing credentials has been tagged as deprecated, but now I can’t find where it says so. Is this method being deprecated, or am i mis-recollecting?

Thanks,
Matt

cassell · October 30, 2020, 4:40pm

You're doing it properly. There is also ansible_ssh_pass, but that's been emphasized less in favor of the ansible_password transport-agnostic version.

V/r,
James Cassell

Matt_Miller · October 30, 2020, 5:18pm

Hmmm. I could of sworn I remembered seeing something to that affect. Anyway, great to hear.

Thanks James!

system · November 3, 2020, 3:48pm

both generic and specific will work (it is defined by each connection
plugin some even have many variations), just note that the specific
has greater precedence so if you use both with ssh, ansible_ssh_pass
will override ansible_password.

Topic		Replies	Views
Possible to switch credentials mid-playbook? Ansible Project	0	6	September 21, 2016
Using ansbile and ansbile-playbook with just the password for the remote host Ansible Project	9	0	October 19, 2016
Using ansible_ssh_pass variable set by ask_pass in a playbook? Ansible Project	1	2	April 9, 2015
Best practice - Passwordless authentication or use --ask-pass before executing playbook? Ansible Project	1	0	August 20, 2018
I can access ansible_ssh_pass but not ansible_become_pass? Ansible Developer	6	5	November 28, 2018

Using raw passwords with ansible_password directly in playbooks deprecated?

Related topics