1

I have a playbook running against multiple servers. All servers require a sudo password to be specified, which is specific to each user running the playbook. When running the playbook, I can't use --ask-become-pass, because the sudo passwords on the servers differ. This is the same situation as in another question about multiple sudo passwords.

A working solution is to specify ansible_become_pass in host_vars:

# host_vars/prod01.yml
ansible_become_pass: secret_prod01_password
domain: prod01.example.com

# host_vars/prod02.yml
ansible_become_pass: secret_prod02_password
domain: prod02.example.com

Besides ansible_become_pass, there are other variables defined per host. These variables should be committed to the git repository. However, as ansible_become_pass is specific to each user running the playbook, I'd like to have a separate file (ideally, vaulted) which specifies the password per host.

I imagine the following:

# host_vars/prod01.yml: shared in git
domain: prod01.example.com

# host_vars/prod01_secret.yml: in .gitignore
ansible_become_pass: secret_prod01_password

I imagine both files to be combined by Ansible when running the playbook. Is this possible in Ansible? If so, how?

nyi
  • 1,425
  • 1
  • 15
  • 17

3 Answers3

1

You should be able to use the include_vars task with the inventory_hostname or ansible_hostname variable. For example:

- name: Include host specific variables
  include_vars: "{{ ansible_hostname }}.yml"

- name: Include host specific secret variables
  include_vars: "{{ ansible_hostname }}_secret.yml"

An even better solution would be to address the problem of users having unique passwords on different hosts.

MacGruber
  • 861
  • 1
  • 7
  • 8
  • What would you suggest as a solution to the problem of specific passwords for every user? Isn't it generally more secure to have personal `sudo` passwords? – nyi Mar 19 '19 at 17:11
  • It might technically be more secure to have a different password on each system, but this is unmanageable and is an anti-pattern. Typically, your sudo password is your user password, which should be a domain password. – MacGruber Mar 19 '19 at 17:16
1

You could create a new group in the inventory file, maybe sudo-hosts. Put all your sudo host in this group. Then create a file under the directory group_vars with the name of this goup. In this file put the secret yaml-structured text.

sudo_hosts:
  host1:
    password: xyz
    othersecret_stuff: abc
  host2:
    ...

then use ansbile-vault to encrypt this file with ONE password. Call the playbook with option --ask-vault-pass and you can use your secrets with

"{{ sudo_host['ansible_host'].password }}"

Oliver Gaida
  • 1,722
  • 7
  • 14
  • Beside this solution, you could use public-key authentication and passwordless sudo. Also a strong passphrase on the private key and it is very secure. – Oliver Gaida Mar 19 '19 at 20:36
1

You can also just have a directory for each host and multiple variable files in that, like

host_vars/host1/vars.yaml
host_vars/host1/secret_vars.yaml

The same works for groups, too. See docs for more: https://docs.ansible.com/ansible/latest/inventory_guide/intro_inventory.html#organizing-host-and-group-variables

LittleFox
  • 174
  • 1
  • 9