hello !
I try to reduce times when i need to typing a password in ansible with the vault-id given by a script.
i have made some test with vault but i can’t succed with a “become: yes” define on hosts instruction.
My vault file vault.yml contains password like this:
ansible_user: root
ansible_become_password: MDP
this playbook works:
- hosts: gp_cible
pre_tasks:- name: include vars encrypted by vault
include_vars: “vault.yml”
tasks:- name: ansible user
debug:
msg: “{{ ansible_user }}”- block:
- name: test root cmd
command: sudo echo ‘test root echo’
register: echo_cmd
changed_when: “echo_cmd.rc != 0”
failed_when: “echo_cmd.rc != 0”
become: yes
rescue:- name: fail - result root cmd
debug:
var: echo_cmd
`
fstefaniak@ansible-master(master):~/test/vault/playbook_extended$ansible-playbook playbook.yml -i inventory --vault-id vault-id.sh
PLAY [gp_cible] **********************************************************************************************************************************************************************************************************************
TASK [Gathering Facts] ***************************************************************************************************************************************************************************************************************
ok: [shibv3-qual.foo.fr]
TASK [include vars encrypted by vault] ***********************************************************************************************************************************************************************************************
ok: [shibv3-qual.foo.fr]
TASK [ansible user] ******************************************************************************************************************************************************************************************************************
ok: [shibv3-qual.foo.fr] => {
“msg”: “root”
}
TASK [test root cmd] *****************************************************************************************************************************************************************************************************************
[WARNING]: Consider using ‘become’, ‘become_method’, and ‘become_user’ rather than running sudo
ok: [shibv3-qual.foo.fr]
PLAY RECAP ***************************************************************************************************************************************************************************************************************************
shibv3-qual.foo.fr : ok=4 changed=0 unreachable=0 failed=0
`
Now with move the become and it will not work:
- hosts: gp_cible
pre_tasks:- name: include vars encrypted by vault
include_vars: “vault.yml”
become: yes
tasks:- name: ansible user
debug:
msg: “{{ ansible_user }}”- block:
- name: test root cmd
command: sudo echo ‘test root echo’
register: echo_cmd
changed_when: “echo_cmd.rc != 0”
failed_when: “echo_cmd.rc != 0”
rescue:- name: fail - result root cmd
debug:
var: echo_cmd
`
fstefaniak@ansible-master(master):~/test/vault/playbook_extended$ansible-playbook playbook_global_become.yml -i inventory --vault-id vault-id.sh
PLAY [gp_cible] **********************************************************************************************************************************************************************************************************************
TASK [Gathering Facts] ***************************************************************************************************************************************************************************************************************
fatal: [shibv3-qual.foo.fr]: FAILED! => {“changed”: false, “module_stderr”: “Shared connection to shibv3-qual.foo.fr closed.\r\n”, “module_stdout”: “sudo: il est nécessaire de saisir un mot de passe\r\n”, “msg”: “MODULE FAILURE\nSee stdout/stderr for the exact error”, “rc”: 1}
to retry, use: --limit @/home/fstefaniak/test/vault/playbook_extended/playbook_global_become.retry
PLAY RECAP ***************************************************************************************************************************************************************************************************************************
shibv3-qual.foo.fr : ok=0 changed=0 unreachable=0 failed=1
`
I’m system administrator: i always need become so i don’t want to define on every tasks…
Have you a solution to define the global become instruction and the var ansible_become_password in a vault file ?
Thanks you