Home / server / Questions / 686347
Accepted
Ask and Learn
Asked: 2015-04-29 22:12:11 +0800 CST

Ansible command line retriving ssh password from vault

  • 772

I am trying to setup Ansible to manage Linux boxes from different customers and here are what we have to work with.

  1. No Pub key authentication - I wanted it as much as you do but it won't happen any time soon.
  2. We login as root and each customer has a different root password for all linux boxes. We are pushing for disable direct root login and do everything via sudo but again, it will take some time.

I managed to create a ansible vault file for each customer with ansible_ssh_user and ansible_ssh_pass in it and following play-book works fine.

---
- hosts:
    - SERV01
    - SERV02
  vars_files:
    - roles/common/vault/main.yml

  tasks:
    - name: enable and start ntpd
      service: name=ntpd enabled=yes state=running

Now I would like to know how can I use vault files from command line, but none of the following worked.

ansible customer1 -m shell -a "var_files:roles/common/vault/main.yml uptime" --ask-vault-pass

ansible customer1 -m shell -a "uptime" -e "vars_files:roles/common/vault/main.yml"  --ask-vault-pass

What am I doing wrong ?

Thanks

ansible

2 Answers

  1. Best Answer

    Finally I found out how to do this:

    ansible customer1 -e @group_vars/vault/customer1.yml --ask-vault-pass -m shell -a uptime

    Now I can put ansible_ssh_user, ansible_ssh_pass and ansible_sudo_pass in a vault file and all I need to remember is the vault password.

    I hope that makes Ansible more enjoyable for you as well.

    Thanks

    • 6

  2. I'm not certain whether Ansible can do that. If it can't, one way to do it is

    ansible customer1 -e "`ansible-vault view roles/common/vault/main.yml | grep ansible_ssh_pass`" -m shell -a uptime
    • 0