How can I provide the SSH user passwords for a set of hosts in ansible using vault

ansible ansible-inventory ansible-vault
Gabriel Petrovay picture Gabriel Petrovay · Jun 21, 2018 · Viewed 7.2k times · Source

Considering the following Ansible hosts file:

[webservers]        
server1.example.com ansible_ssh_pass=1234567
server2.example.com ansible_ssh_pass=2345678
server3.example.com ansible_ssh_pass=3456789

I would like to include these password values from a vault file and have a hosts file like (my intention is to have an ini inventory format):

[webservers]        
server1.example.com ansible_ssh_pass={{ ssh_pass }}
server2.example.com ansible_ssh_pass={{ ssh_pass }}
server3.example.com ansible_ssh_pass={{ ssh_pass }}

where the sss_pass variable comes from vaulted files defined in host_vars folder.

The relevant ansible folder structure looks like this:

playbook.yml
inventories/
  atlanta/
    group_vars/
    hosts
    host_vars/
      server1.example.com
      server2.example.com
      server3.example.com

But ansible is complaining:

[WARNING]:  * Failed to parse /root/hsm-ansible-deploy/inventories/atlanta/hosts with ini plugin: /root/hsm-ansible-deploy/inventories/atlanta/hosts:18: Expected key=value host variable assignment, got: ssh_pass
  • Why do I get the error?
  • How can I import passwords into the hosts file?

Answer

Gabriel Petrovay picture Gabriel Petrovay · Jun 21, 2018

As indicated by @techraf this is only a syntax issue. The correct way of writing the ini hosts file is:

[webservers]        
server1.example.com ansible_ssh_pass="{{ ssh_pass }}"
server2.example.com ansible_ssh_pass="{{ ssh_pass }}"
server3.example.com ansible_ssh_pass="{{ ssh_pass }}"

But I also found a more elegant solution where the hosts file is even more elegant, by not providing the ansible_ssh_pass variable at all in hosts:

[webservers]        
server1.example.com
server2.example.com
server3.example.com

and using the group_vars/all to define this variable there:

---
ansible_ssh_pass: "{{ vault_ansible_ssh_pass }}"

where vault_ansible_ssh_pass is defined in each of the hosts secrets vaulted files like host_vars/server1.example.com

---
vault_ansible_ssh_pass: "my secret password"

and then these files are encrypted using ansible-vault:

ansible-vault encrypt inventories/atlanta/host_vars/server*/vault --vault-password-file ~/.vault_pass.txt

where ~/.vault_pass.txt contains in clear text the ansible vault password.

Related questions

Accessing inventory host variable in Ansible playbook

In Ansible 2.1, I have a role being called by a playbook that needs access to a host file variable. Any thoughts on how to access it? I am trying to access the ansible_ssh_host in the test1 section of …

Read More
Ansible - read inventory hosts and variables to group_vars/all file

I have a dummy doubt that keeps me stuck for a long time. I have a very banal inventory file with hosts and variables: [lb] 10.112.84.122 [tomcat] 10.112.84.124 [jboss5] 10.112.84.122 ... [tests:children] lb tomcat jboss5 [default:children] tests [tests:vars] data_base_user=…

Read More
Ansible provisioning ERROR! Using a SSH password instead of a key is not possible

I would like to provision with my three nodes from the last one by using Ansible. My host machine is Windows 10. My Vagrantfile looks like: Vagrant.configure("2") do |config| (1..3).each do |index| config.vm.define "node#{index}" do |node| node.…

Read More