How to use encrypted password within a playbook

I am trying to implement Ansible at work. We have thousands of servers and I have same user id and password on all those servers. I am able to encrypt my password using sha512 but not sure how to use that encrypted password in playbook itself(so that i can avoid exchanging keys).

  • post-author-pic
    Stosh O
    08-31-2018

    Hi Aditya,

    Are you trying to use the password to have your ansible user authenticate to the servers or are you using the password in some other application?

  • post-author-pic
    Aditya P
    08-31-2018

    Hi  @scoldham
    I want to use password to authenticate into other servers.

  • post-author-pic
    Stosh O
    08-31-2018

    Unfortunately, there is no standard way to perform machine authentication in ansible playbooks using encrypted files.


    Per the Ansible documenation: 

    When speaking with remote machines, Ansible by default assumes you are using SSH keys. SSH keys are encouraged but password authentication can also be used where needed by supplying the option --ask-pass. If using sudo features and when sudo requires a password, also supply --ask-become-pass (previously --ask-sudo-pass which has been deprecated).

  • post-author-pic
    Aditya P
    08-31-2018

    [user@theputta1 playbooks]$ ansible-playbook test.yml --ask-pass
    [DEPRECATION WARNING]: DEFAULT_SUDO_USER option, In favor of Ansible Become, which is a generic framework. See become_user. , use become instead. This feature
    will be removed in version 2.8. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
    SSH password:
    [DEPRECATION WARNING]: Instead of sudo/sudo_user, use become/become_user and make sure become_method is 'sudo' (default). This feature will be removed in
    version 2.6. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
    PLAY [all] ****************************************************************************************************************************************************
    TASK [Gathering Facts] ****************************************************************************************************************************************
    fatal: [theputta2.mylabserver.com]: FAILED! => {"changed": false, "module_stderr": "Shared connection to theputta2.mylabserver.com closed.\r\n", "module_stdout
    ": "sudo: a password is required\r\n", "msg": "MODULE FAILURE", "rc": 1}
    fatal: [theputta3.mylabserver.com]: FAILED! => {"changed": false, "module_stderr": "Shared connection to theputta3.mylabserver.com closed.\r\n", "module_stdout
    ": "sudo: a password is required\r\n", "msg": "MODULE FAILURE", "rc": 1}
    fatal: [theputta1.mylabserver.com]: FAILED! => {"changed": false, "module_stderr": "Shared connection to theputta1.mylabserver.com closed.\r\n", "module_stdout
    ": "sudo: a password is required\r\n", "msg": "MODULE FAILURE", "rc": 1}
    [WARNING]: Could not create retry file '/etc/ansible/playbooks/test.retry'. [Errno 13] Permission denied: u'/etc/ansible/playbooks/test.retry'
    PLAY RECAP ****************************************************************************************************************************************************
    theputta1.mylabserver.com : ok=0 changed=0 unreachable=0 failed=1
    theputta2.mylabserver.com : ok=0 changed=0 unreachable=0 failed=1
    theputta3.mylabserver.com : ok=0 changed=0 unreachable=0 failed=1
    [user@theputta1 playbooks]$



  • post-author-pic
    Aditya P
    08-31-2018

     @scoldham I couldnt authenticate even with --ask-pass(I am assuming that i dont need sudo access)

    playbook: https://bitbucket.org/snippets/theputta/zed9jq

  • post-author-pic
    Aditya P
    08-31-2018

    Update: for some reason sudo flag resolved the issue

Looking For Team Training?

Learn More