ansible_ssh_pass and ansible_become_pass in non interactive way

1,906 views
Skip to first unread message

surender rajasekaran

unread,
May 8, 2022, 10:03:51 AM5/8/22
to Ansible Project

Im currently working on ansible to automate few server infrastructure activities, i would like to specify --ask-pass and—ask-become-pass for Ansible in non-interactive way.


My Scenario:


  • when i run the below command, I'm getting the expected output after manually providing the SSH and BECOME password.

ansible-playbook ping.yml --ask-pass --ask-become-pass -i hosts -c paramiko

  • when i tried executing the below command by placing the ansible_ssh_pass and ansible_become_pass details in inventory file, it works fine in non interactive way.

ansible-playbook ping.yml -i hosts -c paramiko

$ ansible-playbook ping.yml -i hosts -c paramiko

PLAY [all] *******************************************************************************************

TASK [Gathering Facts] *******************************************************************************************

ok: [*************.com]

TASK [ping] *******************************************************************************************

ok: [*************.com]

PLAY RECAP *******************************************************************************************

**************.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0



but in the above method the credentials are exposed and I feel it is not a best practice. Is there any possible way to handle both the ansible_ssh_pass and ansible_become_pass in non interactive way other than having the credential details in inventory file?

Ansible version : 2.9.9

OS : Linux

Brian Coca

unread,
May 9, 2022, 9:28:12 AM5/9/22
to Ansible Project
Use a vaulted file with the variables or inline vaults.

https://docs.ansible.com/ansible/latest/user_guide/vault.html


--
----------
Brian Coca

Christian Schoepplein

unread,
May 9, 2022, 9:41:55 AM5/9/22
to ansible...@googlegroups.com
On Sun, May 08, 2022 at 07:03:51AM -0700, surender rajasekaran wrote:
>Im currently working on ansible to automate few server infrastructure
>activities, i would like to specify --ask-pass and—ask-become-pass for Ansible
>in non-interactive way.


Same here...

> • when i tried executing the below command by placing the ansible_ssh_pass
> and ansible_become_pass details in inventory file, it works fine in non
> interactive way.
>
>ansible-playbook ping.yml -i hosts -c paramiko

[...]

>

but in the above method the credentials are exposed and I feel it is not a
>best practice.


If you control your inventory files via git or other other version control
systems its a no-go to store the plain text password in the inventory file.

>Is there any possible way to handle both the ansible_ssh_pass
>and ansible_become_pass in non interactive way other than having the
>credential details in inventory file?

See for example here:

<https://theorangeone.net/posts/ansible-vault-bitwarden/#setting-up-ansible>

There ansible vault is used or, and thats the way we want to do it,
Bitwarden as an external source for sensible data. I've also managed to
crypt sensible information with sops, thats another possebility if ansible
vault can not be used or don't want to be used.

Unfortunatly there seems to be a bug in ansible versions <2.10.8 where
reading out the ansible_become_pass via a script seems not to work, at least
I can not get it to run as described on the page mensioned above.

In my ansible.cfg file I have the following:

[default]
...
become_pass_file = ./become-password.sh

The become-password.sh script, which is stored in the same directory as the
ansible.cfg file and which has the permissions to be executed, looks like
this:

-----
#!/bin/bash

set -e

bw get password "Ansible User"
-----

The script returns the ansible_become_pass from Bitwarden, so the script is
OK, but ansible itself does unfortunately not (yet) execute the script :-(.

Maybe I could give you an idea how to deal with sensible data and the
ansible_become_pass.

There are also other methods:

- Store your ansible_become_pass in an environment variable and include this
variable in every call of ansible-playbook or ansible:

export ANSIBLE_BECOME_PASSWORD=yourpassword
ansible-playbook -i inventories/test/inventory playbooks/debug.yml \
-e ansible_become_password='{{ lookup("env", "ANSIBLE_BECOME_PASSWORD") }}'

Or go the way it is described here if ansible vault is an option for you
(I've used sops for this) and combine it with the way it is described in my
first link:

<https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html#keep-vaulted-variables-safely-visible>

Hope all this helps and I hope I can find the problem why a script, which is
included in ansible.cfg for the ansible_become_pass entry, is not
executed...

cheers,

Schoepp

Reply all
Reply to author
Forward
0 new messages