2.2.2. Securing and passing credentialsΒΆ
You need to store passwords for use in Ansible. Use ansible-vault.
The ansible-vault command has three subcommands that are frequently used.
- create
- edit
Create vault for credentials
Create a vault
creds.yaml.- Type
ansible-vault create creds.yaml
Use
createto create the initial files that will be vault encrypted. Vault will prompt you for a password. For the purposes of this lab enterpassword. It will then open up a text editor (vi) for you to write data to it. Data of any form can be written, but text is usually the format that is used.- Type
ithen enter the following in the editor.
bigip_user: "admin" bigip_pass: "admin"
Type
esc keythen:wqto save and quit the editor, the file will automatically be encrypted for you.- Type
cat creds.yamlto ensure file is encrypted.
If successful, you should see similar results
- Type
Copy
playbooks/cmd.yamltoplaybooks/cmd1.yamland delete vars_prompt section and replace with new vars section.- Type
cp playbooks/cmd.yaml playbooks/cmd1.yaml - Type
nano playbooks/cmd1.yaml
--- - name: "Run a tmsh command" hosts: bigips gather_facts: False connection: local vars: validate_certs: no server: 10.1.1.245 username: "{{ bigip_user }}" password: "{{ bigip_pass }}" tasks: - name: View system version and LTM configuration bigip_command: commands: - list /ltm virtual all - list /ltm pool all - list /ltm node all server: "{{ server }}" password: "{{ password }}" user: "{{ username }}" validate_certs: "{{ validate_certs }}" register: result - debug: msg="{{ result.stdout_lines }}"
- Type
Run this playbook.
- Type
ansible-playbook playbooks/cmd1.yml -e @creds.yaml --ask-vault-pass
You will be prompted for vault password before executing the playbook. If successful, you should see config for virtual servers, pools and nodes.
- Type
Note
Use ansible-vault edit creds.yaml to modify the vault. You will be prompted
for vault password before editor opens vault file.