ANSIBLE INVENTORY, THE GOOD, THE BAD AND THE UGLY

Written By Rafal Kozlowski

DEALING WITH CREDENTIALS IN ANSIBLE INVENTORY IS PRETTY SIMPLE, AND STILL NOT SO POPULAR TO MAKE IT GOOD

LET’S EXPLORE 3 SIMPLE SCENARIOS.

THE BAD - PLAIN TEXT

We start with installing Ansible on your Local Host (LH).

Ansible is using SSH to connect with the Remote Host (RH), so we need to have a way to specify which user, password, or private key Ansible needs to use. We can specify it directly in the inventory file as plain text or use the secrets vault.

We need to create an inventory file. A configuration file specifies machines MNs we want to connect to and work with.

  project_dir/
  ├─ inventory.yaml

 inventory.yaml 
docker-nodes:
  hosts:
    docker-node1.local:
      ansible_user: provisioner
      ansible_password: topsecret

To check if everything is ok, we will create a simple playbook that will connect to the RH and confirm that the user exists:

  project_dir/
  ├─ inventory.yaml
  ├─ provision-playbook.yaml
 provision-playbook.yaml 
- name: Provision Docker Node
  hosts:
    - docker-node1.lab
  tasks:
    - name: Check if host is configured correctly
      ansible.builtin.ping:

And let’s run it by calling the command in the terminal

$ ansible-playbook -i inventory.yaml provision-playbook.yaml

Encrypting credentials - the ugly

We all know using plain text credentials in the source code is very insecure. It is much better to use a vault to keep sensitive data encrypted and fetch it when needed. So let’s do it now.

Let’s move the variables from the inventory host definition to a separate file and we need to create a separate file, that will hold the password used by Ansible Vault to encrypt and decrypt the variables.

  project_dir/
  ├─ vault /
  │  ├─ vars.yaml
  │  ├─ vault_password
  ├─ inventory.yaml
  ├─ provision-playbook.yaml

 vault/vars.yaml 
ansible_user: provisioner
ansible_password: topsecret
 vault/vault_password 
secretvaultpassword

And let’s encrypt these vars with Ansible Vault

$ ansible-vault encrypt \
    --vault-password-file vault/vault_password \
    --output vault/vars_encrypted \
    vault/vars.yaml

Now we should have a file with encrypted values that we can use in our playbook. Remember not to add vars.yaml or vault_password to the GIT.

  project_dir/
  ├─ vault /
  │  ├─ vars.yaml
  │  ├─ vars_encrypted
  │  ├─ vault_password
  ├─ inventory.yaml
  ├─ provision-playbook.yaml

 vault/vars_encrypted 
$ANSIBLE_VAULT;1.1;AES256
38396565343839313366386265646332346535643833343361323565383731633638363635383535
3731356138643939316532396131323436336336366133380a666336663139333363393139373764
65653666653763653730636430303439393530376564396430386663343461616238653434636462
6337336138363165340a366134663661313463646264383036353863346431636330623665333035
62376434386361373162313762656236383533636338373564393931363162633434303031666135
65393931323539383231376464613534353537323437373764343730383061636637336138646162
363265343032383361306362303663633136

Let’s modify the command and see if it still works

$ ansible-playbook \
    -i inventory.yaml \
    --vault-password-file vault/vault_password \
    -e @vault/vars_encrypted \
    provision-playbook.yaml

And we can see that the playbook is still working fine

Using Ansible with 1Password - the good

If you liked this content and see it useful, help us create more articles and tutorials like this one by becoming a Patreon or by buying us a coffee.

Buy Me A Coffee

My favorite way to store Ansible secrets is to use a third-party password manager. I recommend 1Password as it has attractive pricing and professional tools, and, until now, it has no data breaches.

Before we continue, make sure you have 1Password App and 1Password CLI installed

We start by creating a new 1Password resource as follows:

  • type SSH Key

  • vault name: Ops

  • name SSH provisioner

  • field username with value provisioner

  • field password with value topsecret

If you haven’t done this yet, now is the time to connect your 1Password CLI tool to your account with the command:

$ op signin

After confirming the sign-in intention with a password or fingerprint, we can use 1Password secrets in the playbook.

Let’s modify the inventory file

  project_dir/
  ├─ inventory.yaml
  ├─ provision-playbook.yaml

 inventory.yaml 
docker-nodes:
  hosts:
    docker-node1.local:
      ansible_user: "{{ lookup('community.general.onepassword', 'SSH provisioner', field='username', vault='Ops') }}"
      ansible_password: "{{ lookup('community.general.onepassword', 'SSH provisioner', field='password', vault='Ops') }}"

And that’s it! We can use the Ansible playbook without many additional parameters.

$ ansible-playbook \
    -i inventory.yaml \
    provision-playbook.yaml

All we need is to unlock the 1Password vault on the playbook launch and it works. Simple, clean and secure solution.

Rafal Kozlowski

From OutOfBoxLab

If you liked this content and see it helpful, help us create more articles and tutorials by becoming a Patreon or buying us a coffee.

Have a great day!

Buy Me A Coffee
Rafal Kozlowski
Next

Installing Ansible on MacOS