Ansible Vault - store credentials for all hosts in one vault file

[Libor Burda]

Hello everyone.

Is there any way how to store credentials in one Vault file, so that these credentials are applied for each host?

For example, when I create group_vars/all.yml and store creds here and then execute playbook with --limit=single_host, these credentials are not applied. I probably would have to create vault file for each host, but that's crazy when you have thousands of servers.

The goal is to stop Ansible execution once you put wrong ssh password. Right now, Ansible tries to connect with wrong password, it fails, and our SIEM detects this as attack and locks the account instantly.

Or is there any alternative way how to prevent this from happening?

Thanks in advance.

[Tony Chia]

You can try to add "serial: 1" to your play in your playbook so if it fails to ssh to first host, it won't try to connect to the 2nd host.

By default, it tries to connect 5 hosts at a time and usually that is enough to trigger the account to be locked.

Regards,

Tony Chia

[Michael Mullay]

Libor,

I think what you are asking is if you can do something like this?

host1 password123

host2 password456

host3 password789

If so, then sure. Just put it in a tab-separated file and encrypt it with ansible-encrypt and use it like you would any other variables. You could probably use the csvfile module to call column 1 for user, column 2 for password.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9d1250bc-f3fc-47bd-b8b0-16a84dd193da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.