3

I am trying to use ansible-vault to secure a single Windows login password. I do not want to place hte password as plain text in my windows.yml file (see below) and so I am trying to use ansible-vault to secure/encrypt this password.

I have this directory structure:

myansiblehome
- windows_manage
  - group_vars
    - windows.yml
    - vault
  - hosts
  - win_playbook.yml

My question is about the file vault. I am trying to place a Windows login password here as an encrypted variable, as per this tutorial. The variable name is ansible_password and the idea is that I should have a hash in the vault file and not the actual password in text.

My windows.yml file looks like this (following the guidance here):

ansible_user: administrator
ansible_password: "{{ vault_ansible_password }}"
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore

Now, to create the vault file, here are my steps:

cd windows_manage
ansible-vault create group_vars/vault

Then here are all the contents that I place into the vault file:

---
vault_ansible_password: mypassword

When I run this file with ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass, I get this error (problem A):

The field 'password' has an invalid value, which includes an
undefined variable. The error was: 'vault_ansible_password' is 
undefined\nexception type: <...>\nexception: 'vault_ansible_password' is 
undefined.

So, I tried to generate a hash instead of using text. I did this:

mkpasswd --method=SHA-512
# copy the resulting hash to the clipboard
ansible-vault create group_vars/vault

I replaced the text mypassword by this hash. I pasted the hash in the vi editor and saved the vault file. Again, I ran the playbook with ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass. This time I got a different error (problem B):

fatal: [...]: UNREACHABLE! => ..."ssl: the specified
credentials were rejected by the server", "unreachable": true}

To overcome this, I have to do 2 things:

  1. To resolve problem A.: in win_playbook.yml, I need to add vars_files: group_vars\vault, somewhat similar to this StackOverflow post.
  2. To resolve problem B.: I have to replace the hash in vault with the actual password in text (mypassword).

Questions:

  1. Regarding A: In the tutorials I have come across for ansible vault, I do not see a particular reason why vars_file: group_vars\vars should be present in the main playbook file (see links 1-4 below).i.e. there is no mention of this anywhere. I thought Ansible would auto-detect the variables in the group_vars directory??? Is there a reason why this line is required?

    1. https://serversforhackers.com/c/ansible-using-vault
    2. https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data-on-ubuntu-16-04
      • these guys use group_vars/vars (unencrypted variable file similar to my group_vars/vars) and group_vars/vault (encrypted variable file similar to my group_vars/vault) but they are using a role while I am not using an Ansible role
    3. https://knpuniversity.com/screencast/ansible/variable-vault
    4. https://opensource.com/article/16/12/devops-security-ansible-vault

  2. Regarding B: It looks like other users (see here are using hashes as their variables). Actually, even the Ansible docs suggest to use mkpasswd to generate passwords. Maybe I am misunderstanding something. Should we not use mkpasswd --method=SHA-512 to hash the password and then place the hash as the variable value? Is it not possible to use a hash as the value in key:value in the vault file?

edesz
  • 11,756
  • 22
  • 75
  • 123

1 Answers1

5

group_vars rely on file/directory name – it should correspond to specific group name.

In you case windows.yml is applied to group named windows, but vault would have been applied to group named vault.

To overcome your issue, create directory named windows and place your files there (every file under windows directory will be applied to hosts in windows group in alphabetical order):

myansiblehome
\ windows_manage
  \ group_vars
    \ windows
      \ windows.yml
      - vault
Konstantin Suvorov
  • 65,183
  • 9
  • 162
  • 193
  • Ah, thanks! Checking right now... – edesz Oct 27 '17 at 18:06
  • Using the password as plain text (mypassword) worked. Thanks! – edesz Oct 27 '17 at 18:11
  • Using the password as a hash still did not work (Problem B.). Any idea about this? – edesz Oct 27 '17 at 18:12
  • 1
    Password should be stored as plaintext but inside encrypted vault. – Konstantin Suvorov Oct 27 '17 at 18:18
  • Thanks again. Ok, no further questions. – edesz Oct 27 '17 at 18:19
  • Sorry I just have one related question: If I had `hosts: localhost connection: local` then I would be running the playbook against my local control machine and not against a remote server. In this scenario, would I need to create a `localhost` directory in `group_vars` --> `/group_vars/localhost/vault` and `/group_vars/localhost/main.yml`? Or is acceptable to use: `/group_vars/vault` and `/group_vars/main.yml`? – edesz Oct 27 '17 at 20:19
  • 6
    If you need to apply this to every host, use special group name `all` – `group_vars/all/vault` and `/group_vars/all/main.yml`. – Konstantin Suvorov Oct 28 '17 at 07:16
  • Thanks again! Ok, all my questions are answered! – edesz Oct 29 '17 at 18:29