The private: yes, should prevent it from being logged etc if I’m reading the
documentation correctly.
e.g.
- hosts: all
become: yes
vars_prompt:
- name: ansible_become_pass
prompt: "Enter sudo password"
private: yes
tasks:
- name: Install a package
ansible.builtin.yum:
name: vim
state: present
however,
Have you looked into host_vars?
I tend to refer to hosts with a friendly name, as often we don’t have fqdn’s or
connect via a dirrectent IP to what DNS would point to etc.
something like
ansible_project/
│
├── playbook.yml
│
├── inventory/
│ └── inventory.yml
│
└── host_vars/
├── webserver01/
│ ├── vars.yml # Plain text variables file
│ └── vault.yml # Ansible Vault encrypted variables file
│
├── webserver02/
│ ├── vars.yml # Plain text variables file
│ └── vault.yml # Ansible Vault encrypted variables file
│
├── sqlserver01/
│ ├── vars.yml # Plain text variables file
│ └── vault.yml # Ansible Vault encrypted variables file
│
└── sqlserver02/
├── vars.yml # Plain text variables file
└── vault.yml # Ansible Vault encrypted variables file
Example inventory
all:
children:
webservers:
hosts:
webserver01:
webserver02:
sqlservers:
hosts:
sqlserver01:
sqlserver02:
# Example content of host_vars/webserver01/vars.yml
ip: "192.168.1.101"
port: 22
username: "your_user"
ansible_become_pass: "{{ P_ansible_become_pass }}"
# Example content of host_vars/webserver01/vault.yml
P_ansible_become_pass: "your password here"
I like to reference encrypted vars in the non encrypted vars so I can get a
view of all vars in one place without needing to de-crypt the vault file.
Hope that helps
Stu
From: [email protected] <[email protected]> On
Behalf Of Evan Hisey
Sent: Thursday, February 22, 2024 9:11 PM
To: [email protected]
Subject: Re: [ansible-project] trigger --ask-become-pass with playbook variable?
You don't often get email from [email protected]<mailto:[email protected]>. Learn
why this is important<https://aka.ms/LearnAboutSenderIdentification>
Caution: This email originated from outside of the organisation. Do not click
links or open attachments unless you recognise the sender and know the content
is safe
Potentially, as far as I can tell the workaround does nothing to stop a
plaintext log of the password in memory. You might also consider using ansible
Vault, and the ansible_become_password variable. This seems more inline with
what you need/want. Even allows for using different passwords in various points
by changing the variable with set.
https://eengstrom.github.io/musings/ansible-sudo-var
On Thu, Feb 22, 2024 at 7:28 AM Dick Visser
<[email protected]<mailto:[email protected]>> wrote:
On Wed, 21 Feb 2024 at 20:53, Evan Hisey
<[email protected]<mailto:[email protected]>> wrote:
Why not use the "-K" when launching ansible-playbook? That will trigger
prompting fo the sudo password securely.
Because I don't want to have to remember to use it.
I have several playbooks, some of them require -K and some of them do not.
I think it should be possible to express that requirement with some parameter,
so that I don't have to remember it.
Is the above workaround less secure than doing -K on the command line?
thx
Dick
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
[email protected]<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAF8BbLZyVuMviqx-Ba4erXvshW%3Dm2ydmqbvtV%2BXUDPehRcbwrQ%40mail.gmail.com<https://groups.google.com/d/msgid/ansible-project/CAF8BbLZyVuMviqx-Ba4erXvshW%3Dm2ydmqbvtV%2BXUDPehRcbwrQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
[email protected]<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAEcFzYzKS_1%3DJg%2BZB%2B7L5m3sFUh_w4BWOk_%3DieYdR%2BEDYW9%3DSw%40mail.gmail.com<https://groups.google.com/d/msgid/ansible-project/CAEcFzYzKS_1%3DJg%2BZB%2B7L5m3sFUh_w4BWOk_%3DieYdR%2BEDYW9%3DSw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
---------------
[https://www.zen.co.uk/resources/images/default-source/image-library/icons/zen-logo_meeting.png]
Stuart Lowe He/Him
Zen Cloud Engineering - Team Leader
Zen Internet
Team: 01706 902009
www.zen.co.uk
<https://www.zen.co.uk/>
Proud to be a certified B Corporation
[https://www.zen.co.uk/resources/images/default-source/image-library/which232221-stacked-emailsig.tmb-0.png]
This message is private and confidential. If you have received this message in
error, please notify us and remove it from your system.
Zen Internet Limited may monitor email traffic data to manage billing, to
handle customer enquiries, and for the prevention and detection of fraud. We
may also monitor the content of emails sent to and/or from Zen Internet Limited
for the purposes of security, staff training and to monitor the quality of
service.
Zen Internet Limited is registered in England and Wales, Sandbrook Park,
Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/PA4PR01MB89943FD5FD108EDF233CFF33A8552%40PA4PR01MB8994.eurprd01.prod.exchangelabs.com.
