1

I have a playbook running against multiple servers. All servers require a sudo password to be specified, which is specific to each user running the playbook. When running the playbook, I can't use --ask-become-pass, because the sudo passwords on the servers differ. This is the same situation as in another question about multiple sudo passwords.

A working solution is to specify ansible_become_pass in host_vars:

# host_vars/prod01.yml
ansible_become_pass: secret_prod01_password
domain: prod01.example.com

# host_vars/prod02.yml
ansible_become_pass: secret_prod02_password
domain: prod02.example.com

Besides ansible_become_pass, there are other variables defined per host. These variables should be committed to the git repository. However, as ansible_become_pass is specific to each user running the playbook, I'd like to have a separate file (ideally, vaulted) which specifies the password per host.

I imagine the following:

# host_vars/prod01.yml: shared in git
domain: prod01.example.com

# host_vars/prod01_secret.yml: in .gitignore
ansible_become_pass: secret_prod01_password

I imagine both files to be combined by Ansible when running the playbook. Is this possible in Ansible? If so, how?

nyi
  • 1,228
  • 1
  • 14
  • 17

2 Answers2

1

You should be able to use the include_vars task with the inventory_hostname or ansible_hostname variable. For example:

- name: Include host specific variables
  include_vars: "{{ ansible_hostname }}.yml"

- name: Include host specific secret variables
  include_vars: "{{ ansible_hostname }}_secret.yml"

An even better solution would be to address the problem of users having unique passwords on different hosts.

MacGruber
  • 741
  • 1
  • 6
  • 7
  • What would you suggest as a solution to the problem of specific passwords for every user? Isn't it generally more secure to have personal `sudo` passwords? – nyi Mar 19 '19 at 17:11
  • It might technically be more secure to have a different password on each system, but this is unmanageable and is an anti-pattern. Typically, your sudo password is your user password, which should be a domain password. – MacGruber Mar 19 '19 at 17:16
0

You could create a new group in the inventory file, maybe sudo-hosts. Put all your sudo host in this group. Then create a file under the directory group_vars with the name of this goup. In this file put the secret yaml-structured text.

sudo_hosts:
  host1:
    password: xyz
    othersecret_stuff: abc
  host2:
    ...

then use ansbile-vault to encrypt this file with ONE password. Call the playbook with option --ask-vault-pass and you can use your secrets with

"{{ sudo_host['ansible_host'].password }}"

Oliver Gaida
  • 1,298
  • 4
  • 12
  • Beside this solution, you could use public-key authentication and passwordless sudo. Also a strong passphrase on the private key and it is very secure. – Oliver Gaida Mar 19 '19 at 20:36