0

In order to connect to a windows host I will need to pass the credentials in an inventory file. Here's my inventory file:

[windows]
100.100.100.100

[windows:vars]
ansible_user=Adminuser
ansible_password="Mypassword"
ansible_port=5986
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore

Ansible documentation says that the credentials should be encrypted with ansible-vault. Can I use a variable file that's been encrypted using ansible-vault in my inventory file? And if so, how do I pass my ansible-vault credentials to my inventory file? I will also be using credentials in my playbook like this:

- hosts: windows
  gather_facts: no

  vars_files:
  - vars.yml

  tasks:
  - win_domain_membership:
      dns_domain_name: my.domain.com
      hostname: ansible-host
      domain_admin_user: {{ admin_user }}
      domain_admin_password: {{ passwd }}
      domain_ou_path: "OU=Windows,OU=Servers,DC=ansible,DC=com"
      state: domain
    register: domain_state

I will then use ansible-vault to encrypt my variable file for this playbook.

---
admin_user:myusername@my.domain.com
passwd:mypassword

And then pass my ansible-vault credentials to my playbook at the command line:

$ ansible-playbook myplaybook.yml --ask-vault-pass

Is it possible to store both the variable file used in my inventory and the variable file used in my playbook in the same ansible-vault? That way I can pass the ansible-vault credentials for both files at the command line?

ring0
  • 35
  • 1
  • 7

1 Answers1

0

The ansible-vault command encrypts a single file. Ansible decrypts this at runtime and interprets it the same way it would if the file had been unencrypted (so you can't "store both the variable file used in my inventory and the variable file used in my playbook in the same ansible-vault" because those are two different files).

I would just remove the variable from your inventory, leaving it like this:

[windows]
100.100.100.100

And then create group_vars/windows.yml as a vaulted file with the following content (ansible-vault create groups_vars/windows.yml):

ansible_user: Adminuser
ansible_password: "Mypassword"
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore

Ansible will automatically apply the variables in group_vars/windows.yml when you have a play that targets the windows group.

larsks
  • 277,717
  • 41
  • 399
  • 399
  • Thanks for your response. If I encrypt the groups_vars/windows.yml file using ansible-vault then how should I handle the credentials in the playbook? Do I create a separate ansible-vault for those credentials? How could I pass the credentials to the vault at the command line? – ring0 Apr 19 '21 at 22:55
  • I think [the documenation](https://docs.ansible.com/ansible/latest/user_guide/vault.html) has a lot of good information on this topic. You can configure the vault password on the command, or in a config file, or have ansible call a command to get the vault password. W/r/t to "Do I create a separate ansible-vault for those credentials?", there's no single best answer. Manage things the way that seems best to you. I like to separate out credentials that need to be vault-encrypted from other data, but other people do things differently. – larsks Apr 20 '21 at 00:32
  • Thanks for pointing me in this direction. The documentation does show how you can pass multiple passwords to more than one ansible vault when running a playbook from the command line. This is exactly what I was looking for. – ring0 Apr 20 '21 at 01:19