0%

0/1 Lessons

Course Introduction

• 16min

0 / 3 lessons complete

IT Lab Setup

• 20min

0 / 3 lessons complete

Installing Ansible

• 35min

0 / 3 lessons complete

Managing your Ansible Inventory

• 2hr 7min

0 / 8 lessons complete

Ansible Basics

• 1hr 43min

0 / 9 lessons complete

Ansible Roles

• 1hr 46min

0 / 8 lessons complete

Ansible Galaxy

• 1hr 33min

0 / 6 lessons complete

Ansible Facts, Variables, Passwords and Templates

• 1hr 51min

0 / 9 lessons complete

Advanced Ansible Playbook Creation

• 1hr 41min

0 / 8 lessons complete

Course Conclusion

• 11min

0 / 1 lessons complete

Storing Passwords with Ansible Vault

Instructions

Q&A (0)

Notes (0)

Resources (0)

Saving Progress...

Resources

There are no resources for this lesson.

Notes can be saved and accessed anywhere in the course. They also double as bookmarks so you can quickly review important lesson material.

Create note

In this lesson, we're going to update our Ansible configuration to handle scenarios where managed nodes have different become passwords. We'll change the become password for one of our nodes, update the ansible.cfg file, create an Ansible Vault to securely store these passwords, modify the inventory to use these stored passwords, and adjust a playbook to reflect these changes.

By the end of this lesson, you'll understand how to manage different become passwords across multiple nodes securely, as well as how to specify different become passwords for each host you manage.

Understanding Ansible Vaults for Secure User Management

Ansible Vaults are essential for securely handling sensitive information in your Ansible projects. They provide a way to encrypt data like passwords or keys, ensuring that such critical information is not exposed in your playbooks or stored in plain text.

Ansible-Vault Commands

If you execute the ansible-vault --help command, you'll see this utility offers several options for managing your encrypted data:

Each command serves a specific purpose, providing flexibility and security in managing sensitive data. In this lesson, we are going to use create to make our Ansible Vault.

Update Password for managed-node-2

First, we need to create a scenario where not all the become passwords are the same. Right now, your lab environment should be using the same password123 password across all nodes for your user account. SSH into managed-node-2 and update its password to password12. This simulates an environment where --ask-become-pass is not viable due to differing passwords.

SSH into managed-node-2

ssh managed-node-2

Enter the command below to update the users password:

passwd

Enter password12 as the new password, confirm it, then exit the SSH session with the exit command to return to the Ansible Controller.

Update ansible.cfg

Back at the Ansible Controller, update the ansible.cfg file to ask for the vault password under the defaults header and comment out the old become_ask_pass section. This way, you don't need to pass --ask-vault-pass every time you run a playbook.

Remember, we have created an ansible.cfg.example file where we can see all possible configuration for our current version of Ansible

Update your ansible.cfg file as follows:

[defaults]
inventory = ~/code/inventory
ask_vault_pass = True

#[privilege_escalation]
#become_ask_pass = True

Create an Ansible Vault

Create an Ansible Vault named secret.yml to store your become passwords securely. This allows you to have unique become passwords for each node.

Run the following command:

ansible-vault create secret.yml

When prompted, enter our lab password to avoid confusion: password123. Then add the following content:

This will open in the vim editor, press 'i' to go into edit mode, then press ':', followed by 'wq + enter' to save and close the editor when you're done.

become_passwords:
  managed_node_1: 'password123'
  managed_node_2: 'password12'
  ansible_controller: 'password123'

After you close the editor, you can try to cat that file, but you'll get the encrypted data instead of the clear text password:

paulh@ansible-controller:~$ cat secret.yml
$ANSIBLE_VAULT;1.1;AES256
39383734636338656362323439636433373637353637336531373538323936396330356133316434
3866303965336235643538323363643766633165316439620a393165353462376165373037393730
32633666373530333764643963333134356165306264663636353361626333306438383662636133
6538633437303938390a353937383235646466316665396531646634386134383263373261306339
65613735356563313630383539313537633331656539313863386432373862393036656135386533
31383435343264373562323261323733366239666262616366613131383835346533386531343161
31353432613331363432633037346565653266623161373934383738643065363034636633303664
34643835386630316462356332643136373433356330343338646261323836323634646432333637
31643331356337366661336233663264396438643061376538373430363961393430363139616362
3031646634663932613433313935383466313934653538633266

If you want to inspect the file, you can use the view or edit commands with ansible-vault:

paulh@ansible-controller:~$ ansible-vault view secret.yml
Vault password:
become_passwords:
  managed_node_1: 'password123'
  managed_node_2: 'password12'
  ansible_controller: 'password123'

Update the Inventory File

Now that we have created our ansible vault, we need to modify our inventory to call those variables inside the vault for each managed node. Let's open our inventory file:

nano ~/code/inventory

Update your inventory file to have the variable references for our secret passwords for each host using the ansible_become_pass directive:

Server Academy Members Only

Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.

0 0 votes
Lesson Rating
Subscribe
Notify of
profile avatar
0 Comments
Inline Feedbacks
View all comments