Ansible Vault not reading defined variables

Question

I am working on Ansible automation for Cumulus-Linux (whitebox) networking. I am using Ansible Vault to encrypt the passwords in my playbooks for local accounts I want built out on the new Cumulus switch. However, when I run the playbook, it seems ansible is able to read the username variables from my vault-encrypted file, but not the password variables I defined. There is no way to check what Ansible is setting these password to; of course the passwords are encrypted even in the -vvvv Ansible output.

Per every Ansible Vault example I have seen, my variables are defined as such (an unencrypted variable referencing an encrypted one):

• "user" gets its value from "vault_user", which resides in my vault-encrypted variables file.
• "password" gets its value from "vault_password", which also resides in my vault-encrypted file.

My current playbook structure:

root
--> ansible.cfg
--> hosts
--> main.yml (main playbook)
--> group_vars
    --> all
        --> main.yml (where unencrypted "user" and "password" declared)
        --> vault.yml (encrypted, has values for "vault_user" and "vault_password")

The actual part of my playbook where the account is created/modified:

  - name: create_admin_account
    user:
      name={{ user }}
      shell=/bin/bash
      password={{ password }}
      groups=sudo
      append=yes

The variable definitions from /group_vars/all/main.yml

user: "{{ vault_user }}"
password: "{{ vault_password }}"

And then, in the vault-encrypted file, /group_vars/all/vault.yml (not sharing actual account info):

vault_user: 'xxxx'
vault_password: 'yyyy'

The encryption password is stored in a separate file and I point Ansible at the file via jenkins automation/Github (instead of defining the vault password file in ansible.cfg).

THE PROBLEM:

When I run this playbook, it completes successfully, and it does in fact read my vault file and creates the 'xxxx' user account. However, it does not appear to be setting the account password to the values I defined as I am not able to log in using those credentials afterwards. I verified the account gets created properly and is present afterwards in the sudoers group.

If ansible can read the vaulted "user" variable, why would it not be reading the "password" variable the same?

I have even tried running it with the vault file unencrypted and in plain text-- ansible STILL does not read my "password" variable correctly.

Does anybody know of a hack or way to see what plain text value Ansible is inserting into this variable when it runs (might be a silly question, as this would be a huge security risk!)?

Answer 1

Unless you were executing on macOS, you should provide a password hash to the password argument of the user nodule, not a plain-text password.

Reference:

password

Optionally set the user's password to this crypted value. See the user example in the github examples directory for what this looks like in a playbook. See http://docs.ansible.com/ansible/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module for details on various ways to generate these password values. Note on Darwin system, this value has to be cleartext. Beware of security issues.

That said, there is no added security value in storing the password hash inside an Ansible Vault-encrypted file. It is the same value that can be read from the /etc/passwd file on the destination system (which by default is readable by everyone).

---

Does anybody know of a hack or way to see what plain text value Ansible is inserting into this variable when it runs (might be a silly question, as this would be a huge security risk!)?

- debug:
    var: password

^{Strictly speaking, there are cases in which debug module's output on the screen is not a raw value (mostly if the variable contains escaped characters, like quotation marks). Then the only option to check the value is to use copy module and provide the variable to the content parameter.}