stackoom
  简体   繁体   中英

How can I specify multiple users and passwords in Ansible vault file?

 原文  2022-04-27 09:25:08       ansible/ ansible-vault

Question

I have created hosts:

sudo cat /etc/ansible/hosts
[Prospectorium]
192.168.1.50
[Scholarium]
192.168.1.60
[Bulwark]
192.168.1.70

And a playbook that should update those servers:

sudo cat /home/overlord/ansible/apt.yml
- hosts: all   become: yes   tasks:
  - name: Update and upgrade apt packages.
    apt:
      update_cache: yes
      upgrade: full
      autoremove: yes
      autoclean: yes
      cache_valid_time: 43200

Each of those 3 hosts has a different username and password:

prospectorium
prospectorium123

scholarium
scholarium123

bulwark
bulwark123

So now my question: How can I securely pass login information when I run a playbook?

I tried creating a vault file, but that can contain only one password and no username, so that is not applicable to me.

1 answers

solution1
 2  2022-04-27 10:18:44

There are more options. You might want to try the host_vars and group_vars first.

  1. host_vars

It seems the symbolic names are the names of the hosts rather than the names of the groups. See Inventory basics: formats, hosts, and groups . In this case, the inventory file might be

shell> cat hosts
Prospectorium ansible_host=192.168.1.50 ansible_user=prospectorium
Scholarium ansible_host=192.168.1.60 ansible_user=scholarium
Bulwark ansible_host=192.168.1.70 ansible_user=bulwark

Put the passwords into the host_vars

shell> cat host_vars/Prospectorium.yml 
ansible_password: prospectorium123

shell> cat host_vars/Bulwark.yml 
ansible_password: bulwark123

shell> cat host_vars/Scholarium.yml 
ansible_password: scholarium123

Test it

shell> ansible-inventory -i hosts --list --yaml
all:
  children:
    ungrouped:
      hosts:
        Bulwark:
          ansible_host: 192.168.1.70
          ansible_password: bulwark123
          ansible_user: bulwark
        Prospectorium:
          ansible_host: 192.168.1.50
          ansible_password: prospectorium123
          ansible_user: prospectorium
        Scholarium:
          ansible_host: 192.168.1.60
          ansible_password: scholarium123
          ansible_user: scholarium

If this is what you want to encrypt the passwords. See details in Encrypting content with Ansible Vault

shell> ansible-vault encrypt host_vars/Prospectorium.yml 
Encryption successful

shell> ansible-vault encrypt host_vars/Scholarium.yml
Encryption successful

shell> ansible-vault encrypt host_vars/Bulwark.yml
Encryption successful

You can see that the files were encrypted and the ansible-inventory command shows the same result.

shell> cat host_vars/Prospectorium.yml 
$ANSIBLE_VAULT;1.1;AES256
64316362396261663735333239653163366630313463636262393735356139376536346665383334
3865663166623862363832326231363362666263643536390a396239373737363133313332623539
...

Test the structure in a playbook. For example the playbook below

shell> cat pb.yml
- hosts: all
  gather_facts: false
  tasks:
    - debug:
        msg: |-
          ansible_user: {{ ansible_user }}
          ansible_password: {{ ansible_password }}

gives

shell> ansible-playbook -i hosts pb.yml 

PLAY [all] ***********************************************************************************

TASK [debug] *********************************************************************************
ok: [Prospectorium] => 
  msg: |-
    ansible_user: prospectorium
    ansible_password: prospectorium123
ok: [Scholarium] => 
  msg: |-
    ansible_user: scholarium
    ansible_password: scholarium123
ok: [Bulwark] => 
  msg: |-
    ansible_user: bulwark
    ansible_password: bulwark123

PLAY RECAP ***********************************************************************************
Bulwark                    : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
Prospectorium              : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
Scholarium                 : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

You can add other variables into the encrypted files in host_vars if you want to.

  1. group_vars

An elegant option is putting the data into the group_vars/all.yml . For example

shell> cat group_vars/all.yml
passwords:
  Bulwark: bulwark123
  Prospectorium: prospectorium123
  Scholarium: scholarium123

users:
  Bulwark: bulwark
  Prospectorium: prospectorium
  Scholarium: scholarium

ansible_password: "{{ passwords[inventory_hostname] }}"
ansible_user: "{{ users[inventory_hostname] }}"

Encrypt group_vars/all.yml

shell> ansible-vault encrypt group_vars/all.yml
Encryption successful

Remove the host_vars and users from hosts

shell> cat hosts
Prospectorium ansible_host=192.168.1.50
Scholarium ansible_host=192.168.1.60
Bulwark ansible_host=192.168.1.70

The same playbook gives the same result

shell> ansible-playbook -i hosts pb.yml 

PLAY [all] ******************************************************************************************

TASK [debug] ****************************************************************************************
ok: [Prospectorium] => 
  msg: |-
    ansible_user: prospectorium
    ansible_password: prospectorium123
ok: [Scholarium] => 
  msg: |-
    ansible_user: scholarium
    ansible_password: scholarium123
ok: [Bulwark] => 
  msg: |-
    ansible_user: bulwark
    ansible_password: bulwark123

PLAY RECAP ******************************************************************************************
Bulwark                    : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
Prospectorium              : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
Scholarium                 : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
  1. vars

You can put the variables into any file you want to and include them in a playbook. For example, remove all the host_vars and group_vars from the previous examples and put the file into the directory vars

shell> cat vars/ansible_ssh_vars.yml
passwords:
  Bulwark: bulwark123
  Prospectorium: prospectorium123
  Scholarium: scholarium123

users:
  Bulwark: bulwark
  Prospectorium: prospectorium
  Scholarium: scholarium

ansible_password: "{{ passwords[inventory_hostname] }}"
ansible_user: "{{ users[inventory_hostname] }}"

Encrypt the file

shell> ansible-vault encrypt vars/ansible_ssh_vars.yml 
Encryption successful

Include the file in a playbook. For example, the playbook below gives the same result

shell> cat pb.yml
- hosts: all
  gather_facts: false
  vars_files:
    - vars/ansible_ssh_vars.yml
  tasks:
    - debug:
        msg: |-
          ansible_user: {{ ansible_user }}
          ansible_password: {{ ansible_password }}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I provide the SSH user passwords for a set of hosts in ansible using vault How to use passwords in encrypted vars-file (vault) in Ansible inventory? How to use stored Ansible Vault passwords How to define sudo passwords for multiple hosts in one file vault? Ansible: How can I create a pw hash of a password set in ansible_vault file? How can I use an ansible-vault encrypted password in inventory file? Can Ansible use SCM (GIT) vault file? Creating Multiple users with Same password using ansible vault Specify PostgreSQL passwords in Ansible Playbook Ansible vault passwords appears in log if task fails
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM