Ansible Keepass integration via python script

Question

i am very new to ansible and would like to test a few things. I have a couple of Amazon EC2 instances and would like to install different software components on them. I don't want to have the (plaintext) credentials of the technical users inside of ansible scripts or config files. I know that it is possible to encrypt those files, but I want to try keepass for a central password management tool. So my installation scripts should read the credentials from a .kdbx (Keepass 2) database file before starting the actual installation.

Till now i wrote a basic python script for reading the .kdbx file. The script outputs a json object via:

print json.dumps(inventory, sort_keys=False)

The ouput looks like the following:

{"cdc": 
    {"cdc_test_server": 
        {"cdc_test_user": 
            {"username": "cdc_test_user", 
             "password": "password"}
        }
    }
}

Now I want to achieve, that the python script is executed by ansible and the key value pairs of the output are included/registered as ansible variables. So far my playbook looks as follows:

- hosts: 127.0.0.1
  connection: local
  tasks:
  - name: "Test Playboook Functionality"
    command: python /usr/local/test.py
    register: pass

  - debug: var=pass.stdout

  - name: "Include json user output"
    set_fact: passwords="{{pass.stdout | from_json}}"

  - debug: " {{passwords.cdc.cdc_test_server.cdc_test_user.password}} "

The first debug generates the correct json output, but i am not able to include the variables in ansible, so that I can use them via jinja2 notation. set_fact doesn't throw an exception, but the last debug just returns a "Hello world" - message? So my question is: How do I properly include the json key value pairs as ansible variables via task?

add `msg:` to your last debug statement: `- debug: msg="{{pass....}}"` — Konstantin Suvorov, Aug 15 '16 at 15:39
oh, thank you. Do you know if my approach is the preferred way for the registration of variables, or are there better solutions? — JuHarm89, Aug 15 '16 at 15:43

vczm · Answer 1 · 2019-03-21T10:55:11.597

2

See Ansible KeePass Lookup Plugin

ansible_user       : "{{ lookup('keepass', 'path/to/entry', 'username') }}"
ansible_become_pass: "{{ lookup('keepass', 'path/to/entry', 'password') }}"

edited Mar 21 '19 at 10:55

answered Mar 15 '19 at 08:16

vczm

574
6
14

score 1 · Accepted Answer · answered Aug 15 '16 at 15:51

1

You may want to use facts.d and place your python script there to be available as a fact.
Or write a simple action plugin that returns json object to eliminate the need in stdout->from_json conversion.

answered Aug 15 '16 at 15:51

Konstantin Suvorov

65,183
9
162
193

score 0 · Answer 3 · answered Nov 08 '18 at 16:35

Late to the party, but it seems your use case is primarily covered by keepass-inventory. And it doesn't require any playbook "magic". Disclaimer: I contribute to this non-profit.

export KDB_PATH=example.kdbx
export KDB_PASS=example

ansible all --list-hosts -i keepass-inventory.py

Ansible Keepass integration via python script

3 Answers3