0

In Ansible I have a need to execute a set of tasks and obtain the passwords from a third party (this part was handled) and then use those SSH credentials to connect.

The problem is it seems when I am doing this the best way to loop through my inventory is to include a list of tasks, that's great. The major problem is that I can only get this if I specify hosts in my main.yml playbook to localhost. (Or set to the name of the server group and specify connection: local) this makes the command module execute locally, which defeats the purpose.

I have tried looking into the SSH module but it looks like it is not registering to give me a no_action detected. I am aware I am likely overlooking something glaring.

I will be posting closer to exact code later but what I have now is 

main.yml 
---
- hosts: localhost

  tasks:
    - name: subplay
      include: secondary.yml
      vars:
        user:myUser
        address:"{{hostvars[item].address}}"
      with_items: hostvars['mygroup']


secondary.yml
---
- name: fetch password
  [...fethchMyPassword, it works]
  register: password

- name: 
  [...Need to connect with fetched user for this task and this task only..]
  command: /my/local/usr/task.sh

I am wanting to connect and execute the script there but it seems no matter what I try it either fails to execute at all or executes locally.

Additionally, I might note I checked out https://docs.ansible.com/ansible/latest/plugins/connection/paramiko_ssh.html and https://docs.ansible.com/ansible/latest/plugins/connection/ssh.html but must be doing something wrong

shwm19
  • 33
  • 6
  • And can you connect with same user, but change the user after connecting? You could go with `echo password | sudo -u user -S tanks.h`. If not, I think you would have to go with a special separate playbook and dynamically generate credentials on the host with the password and then start localy another ansible instance after creating the credentials from this ansible playbook. – KamilCuk Jun 16 '19 at 23:15
  • I'm not sure I fully under stand this portion "And can you connect with same user, but change the user after connecting? " The major issue I have now is just trying to instantiate a connection. I could write it to dynamically generate a credential file I suppose. So you're saying make an SSH credential file, and then read the file after creation with a second playbook? https://docs.ansible.com/ansible-tower/latest/html/userguide/credential_types.html – shwm19 Jun 17 '19 at 01:08
  • Och, so the third party is not on the same host that you are trying to connect to? So there is no initial connection whatsoever with the host? That complicates things. You linked ansible tower, never used it. I say, the only solution I see, is in the next job create on the local host the ansible inventory with `ansible_password` set to the fetched password. Then with the next job, start another ansible instance, with simple playbook with only `task.sh`, that uses the created in the previous job inventory to connect with the remote host. – KamilCuk Jun 17 '19 at 08:41
  • But [this looks promising](https://stackoverflow.com/questions/29003420/reload-ansibles-dynamic-inventory). With it, you could write a new inventory with one job with the password and the host. Then refresh the inventory. Then connect normally. – KamilCuk Jun 17 '19 at 08:42

1 Answers1

1

it looks like to me that only your fetch task needs to be delegated to localhost, the rest on my_group, and when you have all your connection info, setup connection with set_facts by setting values to ansible_{user, ssh_pass, password} try this :

main.yml 
---
- hosts: mygroup # inventory_hostname will loop through all your hosts in my_group
  tasks:
    - name: subplay
      include: secondary.yml
      vars:
        user:myUser
        address:"{{hostvars[inventory_hostname].address}}"

secondary.yml
---

- name: fetch password 
  [...fethchMyPassword, it works]
  delegate_to: localhost # this task is only run on localhost
  register: password    

- set_fact: # use registered password and vars to setup connection
    ansible_user: "{{ user}}"
    ansible_ssh_pass: "{{ password }}"
    ansible_host: "{{ address }}"


- name: Launch task # this task is run on each hosts of my_group
  [...Need to connect with fetched user for this task and this task only..]
  command: /my/local/usr/task.sh

launch this with

ansible-playbook main.yml

try to write a role with your secondary.yml, and a playbook witht your main.yml

tassinp
  • 734
  • 4
  • 8
  • Had to make a change. Namely set gather_facts: no but with that edit it worked. – shwm19 Jun 18 '19 at 13:47
  • you're right, before having correct login/pass, you can't gather facts from host, because module gather_facts can't log into hosts. – tassinp Jun 20 '19 at 08:13