How to hide password in the ansible host file
I have some windows hosts are configured with WinRM in order to let Ansible connect them. Not like Linux hosts can do ssh-copy-id to avoid entering the credentials, I have to put my admin password in the /etc/ansible/host in order to connect these windows machines:
cat /etc/ansible/hosts
[win]
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
[win:vars]
ansible_user= administrator
ansible_password=mypasswd
ansible_port=5986
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
Is there any way to avoid having the plain-text password in the hosts file?
I am very new to Ansible, any help is appreciated!
Solution 1:
Decide what you want to use for secrets management on the machine running Ansible.
lookup plugins which get data from some system. ansible-doc -t lookup --list
and review the list, secrets related ones tend to have "pass" or "secret" in the name. Or "keyring" which wraps the local OS secret storage (GNOME secret service, KDE kwallet).
After configuring whatever secrets system, refer to it in Ansible with a lookup expression:
ansible_password="{{ lookup('keyring', secret_name) }}"
The other option is ansible-vault, the integrated file encryption utility. (Note this is different from HashiCorp vault, which if you had you could use with its lookup plugin.) For this you could encrypt the inventory file, or a separate vars file you put the secrets.
Bonus tip: /etc/ansible/hosts
is merely the default inventory file. You can change the default inventory file in ansible.cfg. Or provide one on the command line with with -i
option. So you can have inventory in your home directory, and edit it without touching privilaged directories.
Solution 2:
This is what ansible-vault is for (as Ron Trunk already mentioned)
One way to handle this is to change your example entry like this:
[win:vars]
ansible_user= administrator
ansible_password={{Vault_Windows_admin_password}}
ansible_port=5986
and then, in your vault you'd have
Vault_windows_admin_password: VerySecretPasswordHere
You really should check out https://docs.ansible.com/ansible/latest/user_guide/vault.html