read password from a variable

100 views
Skip to first unread message

Veera

unread,
Mar 9, 2023, 12:58:08 PM3/9/23
to Ansible Project
While sourcing a  profile file , I have to enter a password  in my play.

my_pwd: hiddenpass

- name:  source the environment variable file 
  shell: " source ./myenv"
 
while executing  i am prompted with a password 
so I am using the expect module to pass the password
  
name: Case insensitive password string match
      ansible.builtin.expect:
        command: source    ./myenv
        responses:
          (?i)password: "{{  my_pwd  }}"
        # you don't want to show passwords in your logs
      no_log: true

it fails with below error:
fatal: [127.0.0.1]: FAILED! => {
    "censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result",
    "changed": false
}

if i set no_log: false ,  then  i receive the below error
"msg": "Failed to import the required Python library (pexpect)


Is there any other way/module  to read  the password from the variable ?


dulh...@mailbox.org

unread,
Mar 9, 2023, 1:07:27 PM3/9/23
to ansible...@googlegroups.com
I am not sure, but am wondering whether maybe the remote host needs to be able to import the required Python library (pexpect) for this to work ... can that be it?
 
 
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/89d10c26-89ba-4d7e-9f3e-c9c4c554a604n%40googlegroups.com.

Avinash Jadhav

unread,
Mar 9, 2023, 1:16:59 PM3/9/23
to ansible...@googlegroups.com
You can try this one
- name: Prompt for password
  vars_prompt:
    - name: my_pwd
      prompt: "Enter your password"
      private: true

- name: Source the environment variable file
  shell: "source ./myenv"



- name: Retrieve password from Ansible Vault
  shell: "ansible-vault view my_password_file --vault-password-file ~/.vault_pass.txt"
  register: password_output

- name: Source the environment variable file
  shell: "source ./myenv"
  environment:
    MY_PASSWORD: "{{ password_output.stdout }}"
Avinash Jadhav
Is there any other way/module to read the password from the variable ?

Yes, there are several ways to read a password from a variable in a secure manner. One common method is to use the getpass module in Python.

The getpass module provides a way to securely prompt the user for a password without echoing the characters typed to the screen. Here's an example of how to use it:

python
import getpass

password = getpass.getpass(prompt='Enter your password: ')

When this code runs, the user will be prompted to enter their password, but the characters they type will not be displayed on the screen. The password will be stored in the password variable.

Another way to securely store passwords is to use an encryption library like cryptography or pycryptodome. These libraries provide methods for encrypting and decrypting sensitive information, including passwords.

However, it's important to keep in mind that no method is 100% foolproof, and there is always some risk involved when handling sensitive information like passwords. It's always a good idea to follow best practices for password security, such as storing passwords in a secure password manager, using strong and unique passwords, and using two-factor authentication whenever possible.

Avinash Jadhav
Is there any other way/module to read the password from the variable using the Ansible

Yes, there are several ways to securely read a password from a variable in Ansible. Here are some options:

  1. Ansible Vault: Ansible Vault is a built-in feature that allows you to encrypt sensitive data, such as passwords and keys, in your inventory or playbook files. You can use the ansible-vault command to encrypt and decrypt files containing sensitive data. To read the password from an encrypted variable, you can use the ansible-vault command to decrypt the file containing the variable and then read the variable value.

  2. Ansible Credential Plugin: Ansible has a built-in credential plugin system that allows you to securely store and retrieve credentials, such as passwords and keys, from a variety of sources, including Hashicorp Vault, CyberArk, and more. To use a credential plugin to read a password from a variable, you can define the credential in your inventory or playbook and then use the lookup function to retrieve the password.

  3. Environment Variables: You can store sensitive data, such as passwords and keys, in environment variables and then read the variable value in your playbook using the lookup function. To ensure the security of the password, you should encrypt the environment variable using an external tool, such as ansible-vault or a third-party encryption tool.

  4. Python Script: You can write a custom Python script that reads the password from a file or another secure source, and then use the script module in Ansible to run the script and retrieve the password value.

Each of these options has its own pros and cons, so it's important to choose the one that best suits your use case and security requirements.

Avinash Jadhav
my_pwd: hiddenpass - name: source the environment variable file shell: " source ./myenv" while executing i am prompted with a password so I am using the expect module to pass the password name: Case insensitive password string match ansible.builtin.expect: command: source ./myenv responses: (?i)password: "{{ my_pwd }}" # you don't want to show passwords in your logs no_log: true it fails with below error: fatal: [127.0.0.1]: FAILED! => { "censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false } if i set no_log: false , then i receive the below error "msg": "Failed to import the required Python library (pexpect) Is there any other way/module to read the password from the variable ?

Yes, there are other ways to read a password from a variable in Ansible without using the expect module.

One way is to use the vars_prompt module to prompt the user for the password at runtime. Here's an example:

yaml
- name: Prompt for password
  vars_prompt:
    - name: my_pwd
      prompt: "Enter your password"
      private: true

- name: Source the environment variable file
  shell: "source ./myenv"

When this playbook runs, the user will be prompted to enter their password, and the value will be stored in the my_pwd variable. The private: true option ensures that the password is not displayed on the screen as it is being entered.

Another option is to store the password in an encrypted file using Ansible Vault and then use the ansible-vault command to retrieve the value at runtime. Here's an example:




To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/669854888.204262.1678385227259%40office.mailbox.org.

Veera

unread,
Mar 10, 2023, 10:39:17 AM3/10/23
to Ansible Project
Its a problem with "pexpect"  module requirement  and it worked after "pip3 install pexpect".
However , now  "source ./myenv"  is not working

msg": "The command was not found or was not executable: source"

Since source is a shell inbuilt command .  Is there a way to overcome it ?
I tried  multiple options ..


@avinash  :  Please re-format your above post with indent 


Also .. when the command runs  "source ./myenv"    , it waits for the password.
because the file myenv is written to accept password before sourcing. 

so i have to read the password which is already stored in {{  my_pwd  }} .  here   password_output.stdout is my  my_pwd 
do you mean MY_PASSWORD is a variable to me from my myenv  file ?


- name: Source the environment variable file
  shell: "source ./myenv"
  environment:
    MY_PASSWORD: "{{ password_output.stdout }}"



Antony Stone

unread,
Mar 10, 2023, 10:45:06 AM3/10/23
to ansible...@googlegroups.com
On Friday 10 March 2023 at 16:39:17, Veera wrote:

> Its a problem with "pexpect" module requirement and it worked after "pip3
> install pexpect".
> However , now "source ./myenv" is not working
>
> msg": "The command was not found or was not executable: source"
>
> Since source is a shell inbuilt command . Is there a way to overcome it ?
> I tried multiple options ..

"source" is a Bash built-in, but are you sure the remote machine is using Bash
as its shell?

If it's a modern Debian (ore derivative) machine and it's using /bin/sh,
that's Dash, not Bash, and Dash does not have the "source" command.


Antony.

--
The Free Software Foundation Europe was formed on this day in 2001
https://fsfe.org

Please reply to the list;
please *don't* CC me.

Todd Lewis

unread,
Mar 10, 2023, 10:57:26 AM3/10/23
to Ansible Project
Even if it worked, its effects will go away as soon as the shell running it closes. It won't persist to another task.

Veera

unread,
Mar 10, 2023, 11:23:21 AM3/10/23
to Ansible Project
Yes.. I uses  Ubuntu 22 . but when executed manually source exists.
Failing when called through the  playbook with the mentioned error. 

@Todd    Will  it exists until the next play executes in the same playbook ?  
                 I required  the processed source variables for the next play(only ) . 
Reply all
Reply to author
Forward
0 new messages