Ansible hide ansible_password - ansible

I am familiar with the solution of ansible-vault feature.
Our passwords are stored as a call to an external lookup (to be specific - Cyberark password).
However, a regular user can still with simple debug command to see them
ansible -m debug -a var=ansible_password <some host>
I am familiar with ansible feature known as "no_log". When you set this attribute on a task, or on a specific variable (in Ansible argument spec) - the output is hidden, even with high verbosity
Is there a way to set this attribute on ansible_password variable? so no one can print it?
The only other solution we came up with is to use vault, but all the cyberarcpassword lookup came up in order to "cut of" the vault feature...

You can set the password to expire or change in Cyberark after each call or execution. Why to worry about user seeing Cyberark's password? It may be useless after Ansible using it.

Related

programmatically create sudo rules for running ansible-playbook

How could I create a list for all possible commands an ansible-playbook is using so that I could create a sudoers file?
For testing the playbooks, temporally I create an entry in the /etc/sudoers.d:
tempuser ALL=(ALL:ALL) NOPASSWD:ALL
But is there a plugin or way to get like the list of commands so that I could later create a list like
tempuser ALL= NOPASSWD: /bin/systemctl start mariadb.service
...
Any ideas?
If you intend to use privilege escalation with ansible then privilege escalation must be general
You cannot limit privilege escalation permissions to certain commands. Ansible does not always use a specific command to do something but runs modules (code) from a temporary file name which changes every time. If you have ‘/sbin/service’ or ‘/bin/chmod’ as the allowed commands this will fail with ansible as those paths won’t match with the temporary file that Ansible creates to run the module. If you have security rules that constrain your sudo/pbrun/doas environment to running specific command paths only, use Ansible from a special account that does not have this constraint, or use Red Hat Ansible Tower to manage indirect access to SSH credentials.
As demonstrated in the above documentation quote, this is a well known limitation of the tool. If this is a problem in your environment, either look at the above proposed workarounds in documentation quote, or don't use ansible at all.

How to pass ansible vault password as an extra var?

I have the ability to encrypt variables using another mechanism(Azure pipeline secret feature), so I would like to save an ansible-vault password there(in Azure pipeline) and pass it to playbook execution as an extra var.
May I know if it can be done so?
An example of what/how I'm expecting is
ansible-playbook --extra-vars "vault-password=${pipelinevariable}"
Vault password cannot be passed as an extra var. There are several ways to provide it which are all covered in the documentation:
Providing vault password section in the general vault documentation.
Using vault in playbooks
Very basically your options are:
providing it interactively passing the --ask-vault-pass option
reading it from a file (static or executable) by either:
providing the --vault-password-file /path/to/vault option on the command line
setting the ANSIBLE_VAULT_PASSWORD_FILE environment variable (e.g. export ANSIBLE_VAULT_PASSWORD_FILE=/path/to/vault).
There is much more to learn in the above doc, especially how to use several vault passwords with ids, how to use a client script to retrieve the password from a key store...
Although this doesn't use extra vars, I believe it fulfills what you were trying to do:
Optional/one-time only: ask for the password and set it as an environment variable:
read -s ansible_vault_pass && export ansible_vault_pass
Now use that variable in your ansible command:
ansible-playbook your-playbook.yml --vault-password-file <(cat <<<"$ansible_vault_pass")
Credits for, and explanation of the <(cat <<<"") technique are in this other StackOverflow answer: Forcing cURL to get a password from the environment.
May I know if it can be done so?
Not familiar with Ansible Vault, but you have at least two directions based on the documents shared by Zeitounator.
1.Use a CMD task first to create a vault-password-file with plain-text content. (Not sure if the vault-password-file can be created in this way, it might not work.)
(echo $(SecretVariableName)>xxx.txt)
Then you may use the newly created xxx.txt file as input of ansible-playbook --vault-password-file /path/to/my/xxx.txt xxx.yml.
2.Create a corresponding vault-password-file before running the pipeline, add it to version control. (Same source repo of your current pipeline)
Then you can use ansible-playbook --vault-password-file easily when the vault-password-file is available. Also you can store the password file in private github repo, fetch the repo via git clone https://{userName}:{userPassword}#github.com/xxx/{RepoName}.git, copy the needed password file to the directory where you run the ansible-playbook commands via Copy Files task. This direction should work no matter if direction 1 is supported.

Alternative for --ask-pass Ansible option in the playbook

I am searching for a way to force password prompt on the role for the remote connection. I wish to overwrite default remote_user set in ansible.cfg only for the one role and allow others to run under default one. Is it a way to achieve it?

Ansible Ad-hoc commands requests vault passwords

This afternoon when running ansible ad-hoc commands I've started to be prompted for the vault passwords.
The process shouldn't need this and this was never required before.
I'm just running something like
ansible prod_servers -m shell -a "ls -al /var/logs/" --sudo
I can just provide the password and the command works, but it's driving me crazy.
We're using ansible 1.8.4 (don't ask) :(
Check for vaulted files under group_vars/host_vars in your inventory – this should be the only reason why password prompt may appear for ad-hoc commands.

Reading an environment variable from the remote host

I'm attempting to write an Ansible task that utilizes an environment variable on the remote host.
Based on the docs I've thought to use either lookup('env', 'SSH_AUTH_SOCK') oransible_env.SSH_AUTH_SOCK` but neither is returning the correct value. If I use the former it returns the value from my local host (not the remote host). If I use the latter is returns nothing.
If I ssh into the machine I'm able to run echo $SSH_AUTH_SOCK without issue.
My understanding was that ansible_env was the proper access point for remote host environment variables but that seems to not be the case.
Any help is appreciated.
It is possible the env variable (SSH_AUTH_SOCK) is not in the remote's env, so it is returning nothing. One way to rule this out is to get something that is always available, eg: USER or SSH_CLIENT. If you can get that value, then you can safely assume SSH_AUTH_SOCK is not set in remote's env.
- debug: msg={{ ansible_env.USER }}
The reason you see SSH_AUTH_SOCK is set when you ssh into the machine could be: Your login profile or bash script is starting ssh-agent which sets SSH_AUTH_SOCK variable with the unix socket so that ssh-add works correctly.

Resources