Encrypted Password in Playbook

[Srinivas Naram]

Hi All,

I am trying to use Ansible vault encrypted password in my playbook and don't see clear documentation on how to use it.

Here is what I did so far -

In ansible.cfg I have set the 'vault_password_file'. 

I have all my playbooks in a directory called devplaybooks. I have created a sub-directory in devplaybooks directory with name 'vault' and executed following command

ansible-vault create passwords

Contents in passwords file : ansible_password= secret123

In my inventory file I have created host vars

[<hostIP>:vars]
ansible_user=root
ansible_password=!vault

When I execute the playbook it throws up an error

TASK [Gathering Facts] ****************************************************************************************
fatal: [<hostIP>]: UNREACHABLE! => {"changed": false, "msg": "Invalid/incorrect username/password. Authentication failed.", "unreachable": true}

When I change the host vars to following the playbook is executing successfully

[<hostIP>:vars]
ansible_user=root
ansible_password= secret123

Can you please help me figure out my mistake or point me to right documentation. How does my playbook know my password file ?

[Vladimir Botka]

On Mon, 20 Jan 2020 22:07:21 -0800 (PST)
Srinivas Naram <sriniva...@gmail.com> wrote:

> In my inventory file I have created host vars
>
> [<hostIP>:vars]
> ansible_user=root
> ansible_password=!vault

The encrypted value of the variable is missing. See "Use encrypt_string to
create encrypted variables to embed in yaml".
https://docs.ansible.com/ansible/latest/user_guide/vault.html#use-encrypt-string-to-create-encrypted-variables-to-embed-in-yaml

-vlado

[Srinivas Naram]

Hello Vladimir,

Thanks for your reply.

I am trying to maintain password (encrypted using ansible-vault) and my playbook (clear-text) in separate files. If I understand correctly the below URL is suggesting to encrypt the password string and copy the same in my playbook.

https://docs.ansible.com/ansible/latest/user_guide/vault.html#use-encrypt-string-to-create-encrypted-variables-to-embed-in-yaml 

Am I reading this correctly? Please help.

[Stefan Hornburg (Racke)]

On 1/21/20 11:01 AM, Srinivas Naram wrote:
> Hello Vladimir,
>
> Thanks for your reply.
>
> I am trying to maintain password (encrypted using ansible-vault) and my playbook (clear-text) in separate files. If I
> understand correctly the below URL is suggesting to encrypt the password string and copy the same in my playbook.
>
> https://docs.ansible.com/ansible/latest/user_guide/vault.html#use-encrypt-string-to-create-encrypted-variables-to-embed-in-yaml 
>
> Am I reading this correctly? Please help.

You can definitely include encrypted_variables in your inventory files, but you need to use YAML syntax.

Regards
Racke

>
> On Tue, Jan 21, 2020 at 1:47 PM Vladimir Botka <vbo...@gmail.com <mailto:vbo...@gmail.com>> wrote:
>
> On Mon, 20 Jan 2020 22:07:21 -0800 (PST)
> Srinivas Naram <sriniva...@gmail.com <mailto:sriniva...@gmail.com>> wrote:
>
> > In my inventory file I have created host vars
> >
> > [<hostIP>:vars]
> > ansible_user=root
> > ansible_password=!vault
>
> The encrypted value of the variable is missing. See "Use encrypt_string to
> create encrypted variables to embed in yaml".
> https://docs.ansible.com/ansible/latest/user_guide/vault.html#use-encrypt-string-to-create-encrypted-variables-to-embed-in-yaml
>
>         -vlado
>

> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
> ansible-proje...@googlegroups.com <mailto:ansible-proje...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CAG-N3P5ToCzB%2BgpD1sTke4mPB6R4d%2B4363e2%3DLJOowwvcqxGLg%40mail.gmail.com
> <https://groups.google.com/d/msgid/ansible-project/CAG-N3P5ToCzB%2BgpD1sTke4mPB6R4d%2B4363e2%3DLJOowwvcqxGLg%40mail.gmail.com?utm_medium=email&utm_source=footer>.


--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.

[Vladimir Botka]

On Tue, 21 Jan 2020 15:31:33 +0530
Srinivas Naram <sriniva...@gmail.com> wrote:

> I am trying to maintain password (encrypted using ansible-vault) and my
> playbook (clear-text) in separate files.

Below is a step-by-step scenario:

1) Let's assume the vault password has bee configured properly (you have set
the 'vault_password_file' in ansible.cfg) . Let's use global variable here.
For example

$ set | grep VAULT
ANSIBLE_VAULT_PASSWORD_FILE=/home/admin/.vault_pass.txt

See "Providing Vault Passwords"
https://docs.ansible.com/ansible/latest/user_guide/vault.html#providing-vault-passwords

2) Create a file foo.yml with variable(s). Encrypt the file. See the content.

$ cat foo.yml
test_var1: secret
$ ansible-vault encrypt foo.yml
$ cat foo.yml
$ANSIBLE_VAULT;1.1;AES256
39333766363735373133663263613063313331326263373433353434653566663439623366373338
6438306562323262363965653336653362616136366439620a326533316463346437373066333433
30353336623733303762613639636138336666366631386531633064323733313936663831393731
3036633964323235310a613766346633613765643832306539346137613731663865636564636164
61303534393363616263666564636366303861623131306536316432383230393736
$ ansible-vault view foo.yml
test_var1: secret1

See "Encrypting Unencrypted Files"
https://docs.ansible.com/ansible/latest/user_guide/vault.html#encrypting-unencrypted-files

3) Create inventory (fit the groups and hosts to your needs)

$ cat hosts
[test]
test_01

4) Put the encrypted file into the directory host_vars (fit the host to your
needs)

$ mkdir -p host_vars/test_01
$ mv foo.yml host_vars/test_01/

5) Create and run playbook. See the variable was successfully decrypted.

$ cat test.yml
- hosts: test_01
tasks:
- debug:
var: test_var1
$ ansible-playbook test1.yml
ok: [test_01] => { "test_var1": "secret1" }

There are many variations how-to handle vault variables. If you have troubles
report minimal, complete, reproducible example.


HTH,

-vlado

[Srinivas Naram]

Hello Vladimir

I have followed exactly same steps mentioned above and I see different errors now. 

My steps

- Set the Ansible Vault password file Env variable

- Create the vault encrypted file

- Create directories and copy files in specific location. My dir structure

    playbooks

       |- vault

              |-testing.yml

              |-host_vars

                   |- 192.168.249.107

                        |- test.yml

I get following error 

Error - ERROR! failed to combine variables, expected dicts but got a 'dict' and a 'AnsibleUnicode':{} "testing123:sensitive"

When I change the directory structure in host_vars to groupname

playbooks

       |- vault

              |-testing.yml

              |-host_vars

                   |- ansible_enddevice_2

                        |- test.yml

I get different message

ok: [ 192.168.249.107 ] => { "testing123": "VARIABLE IS NOT DEFINED!" }

My inventory file structure

[ansible_enddevice_2]
192.168.249.107

[Srinivas Naram]

Any suggestions would be greatly appreciated.

[Srinivas Naram]

Suggestions please.

[Srinivas Naram]

Ok, I found the solution myself. Group or host variables should have different directory. There is no need of explicit mention such as <include vars> in the playbook, but create a directory called group_vars or host_vars in the directory where the playbook is placed. 

these directories will have files with variables you want to define. File structure should be in yml format.