2

Any variable to replace --ask-pass, such as ansible_become_pass replaces --ask-become-pass ?

I'm on Ansible 2.9

Playbook name: itop_db.yml

The playbook:

 - name: configure DB to listen
   hosts: itop_acc_db
   become: yes
   vars: vars.yml
   tasks:

     - name: configure DB
       lineinfile:
         path: /etc/my.cnf.d/server.cnf
         regexp: '^bind-address'
         line: bind-address={{ ansible_default_ipv4.address }}

Ansible hosts file:

all:
  hosts:
  children:
    itop_acc:
      hosts:
        hostname1.domain
    itop_pro:
      hosts:
        hostname2.domain
    itop_dev:
      hosts:
        hostname3.domain
    itop_acc_db:
      hosts:
        dbhostname1.domain ansible_ssh_pass=ansible_ssh_pas ansible_become_pass=ansible_become_pas

Vars file:

vars:
ansible_ssh_pas: vault_ansible_ssh_pass
ansible_become_pas: vault_ansible_become_pass

Vault file:

vault_ansible_ssh_pass: 'password'
vault_ansible_become_pass: 'password'

The command line:

ansible-playbook itop_db.yml --ask-pass --ask-become-pass

I am trying to replace the --ask-pass or -k option with a vaulted password so that the solution is completely automated without human interaction.

I can not change the fact that the target server authentication is password based only. The target server actually needs two passwords, one for ssh and one for sudo.

From the docs and Stackoverflow i think i understand how to replace the --ask-become-pass or -K with a vaulted password, using the ansible_become_pass variable.

I checked some pages here which gets me closer but not yet there. The link underneath rightly suggests to use the option -b, which eliminates the prompting of the become password. Is there any way to specify both ask-pass and ask-become-pass only once in Ansible?

This link suggests using ansible_become_pass for the --ask-become-pass Specify sudo password for Ansible

This link although around 8 years old, has the same question as me, but without answer. Ansible: ask-pass programmatically

After writing all this, i think it might replace --ask-pass with ansible_pass. Although i do not see that described at all anywhere.

Digging deeper i found this link which suggests using ansible_ssh_pass. https://serverfault.com/questions/628989/how-to-set-default-ansible-username-password-for-ssh-connection

I have tried the setup as described above but i still get a password prompt when executing the playbook mentioned.

Any help or hints are welcome.

trainin99
  • 109
  • 10

1 Answers1

1

ansible_ssh_pass or ansible_password should do it. It can be defined in the inventory file as documented here. Or in ansible.cfg file, more details here. The ansible-playbook flag --connection-password-file can also be used after storing password in a file. More details here. Its also recommended to use encrytion to store sensitive information. Best practice is to use vault in group_vars, as mentioned here. Hope this helps.

vedipen
  • 106
  • 1
  • 2
  • 1
    Thanks for pointing to the obvious, it did help. From checking the docs, i corrected the hosts file, i mixed ini and yaml style for the var part and the variable name was incomplete. In 2.9 there's no ansible_ssh_pass but there is ansible_password and ansible_become_password. – trainin99 Apr 01 '22 at 14:19
  • this post was helpful to set it all right. The cyberciti.biz link was extremely helpful in just showing how to set this up. – trainin99 Apr 04 '22 at 11:42