need some help with a password in a vault

22 views
Skip to first unread message

Brad Van Orden

unread,
Nov 14, 2018, 12:23:39 PM11/14/18
to Ansible Project
I have a group of CentOS 7 servers that I want to run a playbook against to set up audit and rsyslog.  The systems are currently set up for root ssh with password.  One of the later tasks will be to turn off root ssh access, but for now, just need to figure out how to use a vault password file for connection.  I created a vault-pw-file with: 
echo'vautl-passw'> vault-pw-file

I then created an encrypted copy of the root password with: 
ansible-vault encrypt_string--vault-id my_user@~/vault-pw-file'root-password'--name'bb_root'>vault_passwd

I have in my ~/ansible.cfg:
[defaults]
inventory =$HOME/hosts
vault_password_file=$HOME/vault_passwd

I'm not quite following the documentation about how to actually use the vault password file.  If I run:
ansible all -m debug --vault-id my_user@~/vault-pw-file

It gives me a success and "hello world" for each host.  If I run:
ansible all -m ping --vault-id my_user@~/vault-pw-file

it says failed to connect to host via ssh.

Sorry, I'm just not following the vault documentation.  :(

Andrew Latham

unread,
Nov 14, 2018, 12:45:14 PM11/14/18
to ansible...@googlegroups.com
At first glance I think you are missing a "-e" on the command line and setting the password correctly for the connection with "ansible_ssh_pass=" in your vault file. The user should be defaulting to root but you can set that also.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/269a9478-40c8-4333-bb5a-e41ff11b008a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--
- Andrew "lathama" Latham -

Brad Van Orden

unread,
Nov 15, 2018, 6:28:08 AM11/15/18
to Ansible Project
I don't think I'm missing an '-e?'  My understanding is that "ansible_ssh_pass" is a plain text password.  I was trying to avoid having it sit on the file system unencrypted.  I ran: 
ansible--ask-pass all -a"/bin/date"

and that worked fine.  I'm trying to figure out how to use the vault to store and provide the root password.  That part I am not quite understanding from the docs.

Thanks!
Reply all
Reply to author
Forward
0 new messages