Storing Passwords with Ansible Vault
Full-Access Members Only
Sorry, this lesson is only available to Server Academy Full-Access members. Become a Full-Access member now and get instant access to this and many more premium courses. Click the button below and get instant access now.
Instructions
Q&A (0)
Notes (0)
Resources (0)
Saving Progress...
Resources
There are no resources for this lesson.
Notes can be saved and accessed anywhere in the course. They also double as bookmarks so you can quickly review important lesson material.
In this lesson, we're going to update our Ansible configuration to handle scenarios where managed nodes have different become passwords. We'll change the become password for one of our nodes, update the ansible.cfg file, create an Ansible Vault to securely store these passwords, modify the inventory to use these stored passwords, and adjust a playbook to reflect these changes.
By the end of this lesson, you'll understand how to manage different become passwords across multiple nodes securely, as well as how to specify different become passwords for each host you manage.
Understanding Ansible Vaults for Secure User Management
Ansible Vaults are essential for securely handling sensitive information in your Ansible projects. They provide a way to encrypt data like passwords or keys, ensuring that such critical information is not exposed in your playbooks or stored in plain text.
Ansible-Vault Commands
If you execute the ansible-vault --help command, you'll see this utility offers several options for managing your encrypted data:
Each command serves a specific purpose, providing flexibility and security in managing sensitive data. In this lesson, we are going to use create to make our Ansible Vault.
Update Password for managed-node-2
First, we need to create a scenario where not all the become passwords are the same. Right now, your lab environment should be using the same password123 password across all nodes for your user account. SSH into managed-node-2 and update its password to password12. This simulates an environment where --ask-become-pass is not viable due to differing passwords.
SSH into managed-node-2
ssh managed-node-2Enter the command below to update the users password:
passwdEnter password12 as the new password, confirm it, then exit the SSH session with the exit command to return to the Ansible Controller.
Update ansible.cfg
Back at the Ansible Controller, update the ansible.cfg file to ask for the vault password under the defaults header and comment out the old become_ask_pass section. This way, you don't need to pass --ask-vault-pass every time you run a playbook.
Remember, we have created an ansible.cfg.example file where we can see all possible configuration for our current version of Ansible
Update your ansible.cfg file as follows:
[defaults]
inventory = ~/code/inventory
ask_vault_pass = True
#[privilege_escalation]
#become_ask_pass = TrueCreate an Ansible Vault
Create an Ansible Vault named secret.yml to store your become passwords securely. This allows you to have unique become passwords for each node.
Run the following command:
ansible-vault create secret.ymlWhen prompted, enter our lab password to avoid confusion: password123. Then add the following content:
This will open in the vim editor, press 'i' to go into edit mode, then press ':', followed by 'wq + enter' to save and close the editor when you're done.
become_passwords:
managed_node_1: 'password123'
managed_node_2: 'password12'
ansible_controller: 'password123'After you close the editor, you can try to cat that file, but you'll get the encrypted data instead of the clear text password:
paulh@ansible-controller:~$ cat secret.yml
$ANSIBLE_VAULT;1.1;AES256
39383734636338656362323439636433373637353637336531373538323936396330356133316434
3866303965336235643538323363643766633165316439620a393165353462376165373037393730
32633666373530333764643963333134356165306264663636353361626333306438383662636133
6538633437303938390a353937383235646466316665396531646634386134383263373261306339
65613735356563313630383539313537633331656539313863386432373862393036656135386533
31383435343264373562323261323733366239666262616366613131383835346533386531343161
31353432613331363432633037346565653266623161373934383738643065363034636633303664
34643835386630316462356332643136373433356330343338646261323836323634646432333637
31643331356337366661336233663264396438643061376538373430363961393430363139616362
3031646634663932613433313935383466313934653538633266If you want to inspect the file, you can use the view or edit commands with ansible-vault:
paulh@ansible-controller:~$ ansible-vault view secret.yml
Vault password:
become_passwords:
managed_node_1: 'password123'
managed_node_2: 'password12'
ansible_controller: 'password123'Update the Inventory File
Now that we have created our ansible vault, we need to modify our inventory to call those variables inside the vault for each managed node. Let's open our inventory file:
nano ~/code/inventoryUpdate your inventory file to have the variable references for our secret passwords for each host using the ansible_become_pass directive:
Server Academy Members Only
Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.
