I am trying to create playbook where list of users will be created.
However, I also want to generate random password for each user. Once the passwords are generated, I would like to have a text file holding username:new_generated_password key values, next to the playbook file. Is it possible to do this without developing a new module?
The password lookup can generate passwords for you and puts the generated password on the control machine (i.e. where the playbook is running). An example task that creates a user and sets their password may look something like this:
- name: Create users with auto generated password
user:
name: "{{ item.name }}"
password: "{{ lookup('password', 'credentials/' + item.name + '/password.txt encrypt=md5_crypt') }}"
with_items: users
This would then create a text file named ~/credentials/$username/password.txt on the control machine. If you were to rerun the Ansible play then Ansible would recognise that filepath as the password and make sure to set the user's password to that same value - making it idempotent.
This doesn't get you quite what you wanted but gets all the information that you needed on to the Ansible control host so you could then further manipulate it to get the final output that you wanted.
Related
The job template has an option for "Prompt on Launch" for credentials.
I want to pass the credentials name using extra vars. I'm launching these jobs through manageIQ and so I want the user to select the credentials and manageIQ should pass it as extra vars to AWX Tower.
Any idea what is the parameter for it? For example, in order to pass ssh username, we use "ansible_ssh_user". I expect something similar is there for credentials? If that's possible would the value for the extra vars be just the credentials name?
I tried ansible_private_key_file as the extra vars name with the value Zabbix but I get the error that no such file exists (Zabbix).
My workaround right now is to store the ssh_key_file inside AWX container and when launching the job we set the ansible_private_key_file to /tmp/test.pem. But we actually want to select the name of the credentials from AWX tower instead of storing the keys inside the container.
Any idea what is the parameter for it? ... I expect something similar is there for credentials? If that's possible would the value for the extra vars be just the credentials name?
According Ansible Tower documentation Credentials you can make (additional) credentials available via variable names and facts.
For Machine Credential you can get username and password parameters directly from facts:
vars:
machine:
username: '{{ ansible_user }}'
password: '{{ ansible_password }}'
For Network Credential which I use additionally in some playbooks I get username and password parameters from the job runtime environment via
vars:
network:
username: '{{ lookup("env", "ANSIBLE_NET_USERNAME") }}'
password: '{{ lookup("env", "ANSIBLE_NET_PASSWORD") }}'
since currently there is no other way to specify two different machine credentials in one Job Template. Other Credential Names are listed in the documentation too.
To inject further credentials you could use
extra_vars:
my_pass: '{{my_pass}}'
my_user: '{{my_user}}'
and access them with
ansible_user: "{{ my_user }}"
ansible_password: "{{ my_pass }}"
Even the direct way is working
ansible test --extra-vars="ansible_user=${ACCOUNT} ansible_password=${PASSWORD}" --become --module-name shell --args "echo $(hostname)"
to make a connection. So in your case, your extra variables could be
---
ansible_user: USER
ansible_password: PASSWORD
or
--extra-vars="ansible_user=USER ansible_password=PASSWORD"
Thanks to
How Do I Use Ansible Tower's Credential Parameters (Machine, Network, Cloud) in my Playbook?
How To Use Multiple Machine Credentials For A Job Template In Ansible Tower?
In my ansible playbook I want to get the input from text file and perform some set of operations.
I have 10 user names in the text file, then the play has to pick first name from the text file and do few tasks. Once done for the first user and the play has to pick it for second user and so on.
I wrote play for a single user. Kindly help me or give some sample play for this kind of scenario.
You should be using roles and manage everything from inventory.
But however, simplest way; Create a file, and store your user names in a variable that way
users:
- user1
- user2
- user3
- user4
- user5
At the beginning of your playbook, include that file
- hosts: whatever
become: yes
vars_file:
- <<path_to_your_var_file>>
Then in the task you can use that users variable you included from the variable file
tasks:
- name: create 10 users
user:
name: "{{ item }}"
state: present
with_items:
- "{{ users }}"
Ansible will import the users variable from your var file, and loop n times with number of users you have.
I have a requirement to create user records by looping through details present in a yml file and set random 6 digit password to it. After creating the users, I have to save that password for each user in a file which gets saved in the directory from which the playbook is run from. How can I achieve it?
As already mentioned in the comments it is quite simple to achieve via the lookup module for password in example
TESTUSER_PASSWORD: "{{ lookup('password', '/tmp/{{ inventory_hostname }}/testuser_password chars=ascii_letters,digits length=6') }}"
The playbook directory you have already via Special Variables and playbook_dir. I use usually something like
RUN_DIR: "{{ playbook_dir.split('/')[4] }}"
Further parts of the solution I leave to you.
I want to create user accounts with corresponding passwords all in a single playbook. To do this I define the users I need for my project and want to generate passwords for them. The attached script creates a password per user and assigns it to the r variable. This all works fine, I can call the items with their passwords. However I would like to save the usernames and passwords into a vault file that is encrypted all from within the playbook. But I can't figure out a way to do this.
Currently I write the output to the userfile.txt (output is a single line of .json, would like to have it in a nicer format) but then I would have to run an extra ansible-vault encrypt command. Is there a way to do this all from within a single playbook?
vars:
users:
- testuser1
- testuser2
tasks:
- name: Generate passwords
script: generate_passwords.py "{{item}}"
register: "r"
args:
executable: python3
with_items: "{{ users }}"
# The following proves that I can call the username and password:
- debug: msg="username={{item.item}}, password={{item.stdout_lines[0]}}"
with_items: "{{r.results}}"
# This saves everything in cleartext, how to do this into a vault file?
- copy:
content: "{{r}}"
dest: userfile.txt
I want to store my user's public keys in vault instead of a file.
How should i change my playbook:
name: push users public_keys
authorized_key:
state: present
user: admin
key: ""{{ lookup('file', '/path/to/your/www_id_rsa.pub') }}""
Thanks
One way could be storing your vault variables in a file or encrypt a string.
I'll show the use of file:
ansible-vault create vault_vars.yml (You'll be asked to create a password)
In the vault_vars.yml you create a normal variable containing the public_key: pub_key: "rsa..."
Include the file in your playbook:
vars_files:
- vault_vars.yml
You can access the variable from the vault just like you would with a variable being defined inside the playbook: {{ pub_key }}
An example printing the variable from the vault:
- hosts: server
vars_files:
- vault_vars.yml
tasks:
- debug: msg="{{pub_key}}"
Running playbook: ansible-playbook playbook.yml --ask-vault-pass
You can either use --ask-vault-pass (being prompted for password) or --vault-password-file (storing your vault password in a file)
EDIT
After reading the question again, and you stated you did not want to use a file meaning the solution would be as suggested below: Encrypt the string.
Personally I am not a big fan of encrypting strings and then put them directly in the playbook. I prefer to encrypt the file instead, making it easier to add/change values if needed.
I don't really get the point of encrypting a public key. You usually want to do this for private keys (or any other kind of sensitive data like passwords, tokens...).
Meanwhile, if you really want to do that, you don't need to change anything to your playbook. You just have to encrypt the file containing your public key:
ansible-vault encrypt --ask-vault-pass /path/to/your/www_id_rsa.pub
Once this is done, ansible will automagically detect this is a vault encryted file when you try to use it and it will decrypt it on the fly. For this to work, you will of course have to provide the same vault password when you execute the playbook (or you will get an error saying that the vault could not be decrypted).
ansible-playbook -i my_inventory --ask-vault-pass my_playbook.yml
For more info on different options to provide the vault pass/id see: https://docs.ansible.com/ansible/latest/user_guide/vault.html