How to set and use sudo password for Ansible Vault

--extra-vars

ADVERTISEMENTS



How to specify sudo password for Ansible at the cli (method # 1)

How can I set a sudo password for Ansible from the Linux or Unix cli? How can I store sudo password in a vault file and use it securely without exposing my details?You can create encrypted passwords with Ansible playbooks and use it. You need to passvariable to ansible-playbook. Let us see two different methods to deal with sudo password.

The syntax is:

ansible-playbook -i inventory my.yml \

--extra-vars 'ansible_become_pass=YOUR-PASSWORD-HERE'

From the security perspective typing password at the CLI argument is not a good idea. Hence, you can force ansible-playbook to ask for the password:

ansible-playbook --ask-sudo-pass -i inventory my.yml

The sudo --ask-sudo-pass has been deprecated in favor of the “become” command line arguments, so run:

ansible-playbook --ask-become-pass -i inventory my.yml

A note about specifying ssh username and password at the CLI

The syntax is:

ansible-playbook -i inventory my.yml \

--extra-vars 'ansible_ssh_pass=YOUR-SSH-PASSWORD-HERE' \

--extra-vars='ansible_ssh_user=YOUR-SSH-USERNAME-HERE'

OR

ansible-playbook -i inventory my.yml -u YOUR-SSH-USERNAME-HERE \

--extra-vars 'ansible_ssh_pass=YOUR-SSH-PASSWORD-HERE'

Here is my sample inventory file:

[ cluster:vars ] k_ver = "linux-image-4.13.0-26-generic" ansible_user = vivek # ssh login user ansible_become = yes # use sudo ansible_become_method = sudo [ cluster ] www1 www2 www3 db1 db2 cache1 cache2 [cluster:vars] k_ver="linux-image-4.13.0-26-generic" ansible_user=vivek # ssh login user ansible_become=yes # use sudo ansible_become_method=sudo [cluster] www1 www2 www3 db1 db2 cache1 cache2

Here is my my.yml file:

--- - hosts: cluster tasks: - name: Updating host using apt apt: update_cache: yes upgrade: dist - name: Update kernel to spefic version apt: name: "{{ k_ver }}" state: latest - name: Clean unwanted olderstuff apt: autoremove: yes purge: yes --- - hosts: cluster tasks: - name: Updating host using apt apt: update_cache: yes upgrade: dist - name: Update kernel to spefic version apt: name: "{{ k_ver }}" state: latest - name: Clean unwanted olderstuff apt: autoremove: yes purge: yes

I ran command as follows:

ansible-playbook --ask-become-pass -i inventory my.yml



How to store and use sudo passwed in a vault (method # 2)

First update your inventory file as follows:

[ cluster:vars ] k_ver = "linux-image-4.13.0-26-generic" ansible_user = vivek # ssh login user ansible_become = yes # use sudo ansible_become_method = sudo ansible_become_pass = ' { { my_cluser_sudo_pass } } ' [ cluster ] www1 www2 www3 db1 db2 cache1 cache2 [cluster:vars] k_ver="linux-image-4.13.0-26-generic" ansible_user=vivek # ssh login user ansible_become=yes # use sudo ansible_become_method=sudo ansible_become_pass='{{ my_cluser_sudo_pass }}' [cluster] www1 www2 www3 db1 db2 cache1 cache2

Next create a new encrypted data file named password.yml, run the following command:

$ ansible-vault create passwd.yml

Set the password for vault. After providing a password, the tool will start whatever editor you have defined with $EDITOR. Append the following

my_cluser_sudo_pass: your_sudo_password_for_remote_servers Save and close the file in vi/vim. Finally run playbook as follows:

$ ansible-playbook -i inventory --ask-vault-pass --extra-vars '@passwd.yml' my.yml

How to edit my encrypted file again

ansible-vault edit passwd.yml

How to change password for my encrypted file

ansible-vault rekey passwd.yml

Disable sudo login without password on all remote servers

README: How to create a new sudo user on Ubuntu Linux server

Login to your remote box:

ssh vivek@server1.cyberciti.biz

sudo -i

Make sure vivek user is part of sudo/wheel group that allowed to sudo using id command:

id vivek

Edit sudo config file using the visudo command:

sudo visudo

Make sure following line deleted or commented out:

vivek ALL=(ALL) NOPASSWD:ALL

Save and close the file.

Summary

In short use following options for the ansible-playbook command with vault or without vault file:

-i inventory : Set path to your inventory file.

: Set path to your inventory file. --ask-vault-pass : Ask for vault password

: Ask for vault password --extra-vars '@passwd.yml' – Set extra variable. In this case set path to vault file named passwd.yml.

– Set extra variable. In this case set path to vault file named passwd.yml. --ask-become-pass : Ask for sudo password

See also