4

Considering the following Ansible hosts file:

[webservers]        
server1.example.com ansible_ssh_pass=1234567
server2.example.com ansible_ssh_pass=2345678
server3.example.com ansible_ssh_pass=3456789

I would like to include these password values from a vault file and have a hosts file like (my intention is to have an ini inventory format):

[webservers]        
server1.example.com ansible_ssh_pass={{ ssh_pass }}
server2.example.com ansible_ssh_pass={{ ssh_pass }}
server3.example.com ansible_ssh_pass={{ ssh_pass }}

where the sss_pass variable comes from vaulted files defined in host_vars folder.

The relevant ansible folder structure looks like this:

playbook.yml
inventories/
  atlanta/
    group_vars/
    hosts
    host_vars/
      server1.example.com
      server2.example.com
      server3.example.com

But ansible is complaining:

[WARNING]:  * Failed to parse /root/hsm-ansible-deploy/inventories/atlanta/hosts with ini plugin: /root/hsm-ansible-deploy/inventories/atlanta/hosts:18: Expected key=value host variable assignment, got: ssh_pass
  • Why do I get the error?
  • How can I import passwords into the hosts file?
Gabriel Petrovay
  • 20,476
  • 22
  • 97
  • 168
  • This is a typo. Space character is a separator. Use quotes or delete spaces. Listed questions are irrelevant. – techraf Jun 21 '18 at 17:22
  • Thanks! Indded syntax error. Also I found another solution where the `ansible_ssh_pass: "{{ ssh_pass }}"` can actually be defined in `group_vars` then the `hosts` file is even cleaner. – Gabriel Petrovay Jun 21 '18 at 17:31
  • OK, I rephrased the questions and gave an answer based on your indication and my findings. Thanks! – Gabriel Petrovay Jun 21 '18 at 17:40

1 Answers1

6

As indicated by @techraf this is only a syntax issue. The correct way of writing the ini hosts file is:

[webservers]        
server1.example.com ansible_ssh_pass="{{ ssh_pass }}"
server2.example.com ansible_ssh_pass="{{ ssh_pass }}"
server3.example.com ansible_ssh_pass="{{ ssh_pass }}"

But I also found a more elegant solution where the hosts file is even more elegant, by not providing the ansible_ssh_pass variable at all in hosts:

[webservers]        
server1.example.com
server2.example.com
server3.example.com

and using the group_vars/all to define this variable there:

---
ansible_ssh_pass: "{{ vault_ansible_ssh_pass }}"

where vault_ansible_ssh_pass is defined in each of the hosts secrets vaulted files like host_vars/server1.example.com

---
vault_ansible_ssh_pass: "my secret password"

and then these files are encrypted using ansible-vault:

ansible-vault encrypt inventories/atlanta/host_vars/server*/vault --vault-password-file ~/.vault_pass.txt

where ~/.vault_pass.txt contains in clear text the ansible vault password.

Gabriel Petrovay
  • 20,476
  • 22
  • 97
  • 168
  • Why not having the variable in each `host_vars` file simply called `ansible_ssh_pass`? This way the even the group var would be unnecessary. – Michele Palmia Jan 24 '20 at 08:38