Ansible - User Create Module - Not working with Vault
26 views
Skip to first unread message
Jeremey Wise
Feb 9, 2021, 9:00:34 AM2/9/21
to Ansible Project
Still learning Ansible... but I think this is a feature request / maybe a bug?
Hoping their is a work around.
Goal: Create a user on CentOS host with membership of wheel group, ssh key and use a provided password but NOT store password in plain text within ansible.
I am using vault where I encrypt a password and save it in my global variables file
Ex: /group_vars/all.yml ansible-vault encrypt_string 'Password' --name 'vault_cluster_ssh_password'
# Add above output to all.yml and also above it I add a line to create usable variable for username
vault_cluster_ssh: cluster # Account used for inter node cluster tasks
vault_cluster_ssh_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
643939363138613738326434363632366636393131666432323134336332623463393061643730323461386536636<snip>6363234
Now.. I want to use that in a playbook
- name: Add the user 'cluster' with a bash shell, appending the group 'wheel'and generate ssh key for hosts "{{ target_hosts }}"
user:
name: '{{ vault_cluster_ssh }}'
shell: /bin/bash
groups: wheel
state: present
generate_ssh_key: yes
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa
createhome: no
password: "{{ vault_cluster_ssh_password | string | password_hash('sha512') }}"
# password: '{{
Password | string | password_hash('sha512') }}'
The commented line works .. but the use of variable does not. All examples I have found still use clear txt passwords to create users which is not allowed and bad form.
What I don't get is why they are shoving the output directly into 'etc/shadow" if you call to create user... so you have to use password_hash component. Why would the user add module not just call as input parameter your "password variable" and use OS "passwd" binary... why is it shoving things direct into files with manual hash? Their may be reason but this then creates above issue where I cannot call input as variable that leverages standard vault call.
Hoping their is a better way to do this / work around someone has.
Jeremey Wise
Feb 9, 2021, 5:43:41 PM2/9/21
to Ansible Project
Correction:
This was an error where I was trying too many things and did not re-test with all correct variables set.
This does work:
Co-worker pointed out to dump password out as variable and I saw it was read that in wrong as I changed several times to test things
############
Antony Stone
Feb 9, 2021, 5:48:58 PM2/9/21
to ansible...@googlegroups.com
On Tuesday 09 February 2021 at 23:43:41, Jeremey Wise wrote:
> Correction:
>
> This was an error where I was trying too many things and did not re-test
> with all correct variables set.
>
> This does work:
> Co-worker pointed out to dump password out as variable and I saw it was
> read that in wrong as I changed several times to test things
> ############
For the benefit of future visitors to this forum / archive, please could you
> Correction:
>
> This was an error where I was trying too many things and did not re-test
> with all correct variables set.
>
> This does work:
> Co-worker pointed out to dump password out as variable and I saw it was
> read that in wrong as I changed several times to test things
> ############
make clear what you did need to do differently so that things worked as
expected / required.
That way, at least some people will not have to ask the same question again :)
Thanks,
Antony.
--
I conclude that there are two ways of constructing a software design: One way
is to make it so simple that there are _obviously_ no deficiencies, and the
other way is to make it so complicated that there are no _obvious_
deficiencies.
- C A R Hoare
Please reply to the list;
please *don't* CC me.
Jeremey Wise
Feb 9, 2021, 11:18:15 PM2/9/21
to ansible...@googlegroups.com
Sorry for not being clear..
What I did .. was .. nothing. No code change from the code posted.
I use Visual Studio Code ... and did not between changes save file before running test... which then got back false "failure"... and do kept trying other things.
The below code works
from global variables file /group_var/all.yml
vault_nut_ssh: nut # Account used for UPS services client and server side
vault_nut_ssh_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
643963626666<snip3330613639316532350a373634653566326338636565346539663366646338303861623030326263
3532
User create.. in this case "nut" for ups monitoring.
# Setup "nut" user as both client and server need it
- name: Add the user 'nut' with a bash shell, appending the group 'wheel'and generate ssh key for hosts "{{ target_hosts }}"
user:
name: '{{ vault_nut_ssh }}'
shell: /bin/bash
groups: wheel
state: present
generate_ssh_key: yes
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa
createhome: yes
password: "{{ vault_nut_ssh_password | string | password_hash('sha512') }}"
Jeremey Wise
Feb 10, 2021, 8:08:21 AM2/10/21
to ansible...@googlegroups.com
PS: The web page for Ansible password is still broken
Bruce M.
Mar 2, 2021, 6:16:24 PM3/2/21
to Ansible Project
That page may have been deprecated cause I believe the same instruction is found in the faqs now.:
Reply all
Reply to author
Forward
0 new messages