How can I provide the SSH user passwords for a set of hosts in ansible using vault

Gabriel Petrovay picture Gabriel Petrovay · Jun 21, 2018 · Viewed 7.2k times · Source

Considering the following Ansible hosts file:

[webservers]        
server1.example.com ansible_ssh_pass=1234567
server2.example.com ansible_ssh_pass=2345678
server3.example.com ansible_ssh_pass=3456789

I would like to include these password values from a vault file and have a hosts file like (my intention is to have an ini inventory format):

[webservers]        
server1.example.com ansible_ssh_pass={{ ssh_pass }}
server2.example.com ansible_ssh_pass={{ ssh_pass }}
server3.example.com ansible_ssh_pass={{ ssh_pass }}

where the sss_pass variable comes from vaulted files defined in host_vars folder.

The relevant ansible folder structure looks like this:

playbook.yml
inventories/
  atlanta/
    group_vars/
    hosts
    host_vars/
      server1.example.com
      server2.example.com
      server3.example.com

But ansible is complaining:

[WARNING]:  * Failed to parse /root/hsm-ansible-deploy/inventories/atlanta/hosts with ini plugin: /root/hsm-ansible-deploy/inventories/atlanta/hosts:18: Expected key=value host variable assignment, got: ssh_pass
  • Why do I get the error?
  • How can I import passwords into the hosts file?

Answer

Gabriel Petrovay picture Gabriel Petrovay · Jun 21, 2018

As indicated by @techraf this is only a syntax issue. The correct way of writing the ini hosts file is:

[webservers]        
server1.example.com ansible_ssh_pass="{{ ssh_pass }}"
server2.example.com ansible_ssh_pass="{{ ssh_pass }}"
server3.example.com ansible_ssh_pass="{{ ssh_pass }}"

But I also found a more elegant solution where the hosts file is even more elegant, by not providing the ansible_ssh_pass variable at all in hosts:

[webservers]        
server1.example.com
server2.example.com
server3.example.com

and using the group_vars/all to define this variable there:

---
ansible_ssh_pass: "{{ vault_ansible_ssh_pass }}"

where vault_ansible_ssh_pass is defined in each of the hosts secrets vaulted files like host_vars/server1.example.com

---
vault_ansible_ssh_pass: "my secret password"

and then these files are encrypted using ansible-vault:

ansible-vault encrypt inventories/atlanta/host_vars/server*/vault --vault-password-file ~/.vault_pass.txt

where ~/.vault_pass.txt contains in clear text the ansible vault password.