Correction:
This was an error where I was trying too many things and did not re-test
with all correct variables set.
This does work:
Co-worker pointed out to dump password out as variable and I saw it was
read that in wrong as I changed several times to test things
############
On Tuesday, February 9, 2021 at 9:00:34 AM UTC-5 Jeremey Wise wrote:
>
> Still learning Ansible... but I think this is a feature request / maybe a
> bug?
>
> Hoping their is a work around.
>
> Goal: Create a user on CentOS host with membership of wheel group, ssh
> key and use a provided password but NOT store password in plain text within
> ansible.
>
> I am using vault where I encrypt a password and save it in my global
> variables file
>
> Ex: /group_vars/all.yml ansible-vault encrypt_string 'Password' --name
> 'vault_cluster_ssh_password'
>
> # Add above output to all.yml and also above it I add a line to create
> usable variable for username
> vault_cluster_ssh: cluster # Account used for inter node cluster tasks
> vault_cluster_ssh_password: !vault |
> $ANSIBLE_VAULT;1.1;AES256
>
>
> 643939363138613738326434363632366636393131666432323134336332623463393061643730323461386536636<snip>6363234
>
>
> Now.. I want to use that in a playbook
>
>
> - name: Add the user 'cluster' with a bash shell, appending the group
> 'wheel'and generate ssh key for hosts "{{ target_hosts }}"
> user:
> name: '{{ vault_cluster_ssh }}'
> shell: /bin/bash
> groups: wheel
> state: present
> generate_ssh_key: yes
> ssh_key_bits: 2048
> ssh_key_file: .ssh/id_rsa
> createhome: no
>
> password: "{{ vault_cluster_ssh_password | string |
> password_hash('sha512') }}"
> # password: '{{ Password | string | password_hash('sha512') }}'
>
> The commented line works .. but the use of variable does not. All
> examples I have found still use clear txt passwords to create users which
> is not allowed and bad form.
> What I don't get is why they are shoving the output directly into
> 'etc/shadow" if you call to create user... so you have to use
> password_hash component. Why would the user add module not just call as
> input parameter your "password variable" and use OS "passwd" binary... why
> is it shoving things direct into files with manual hash? Their may be
> reason but this then creates above issue where I cannot call input as
> variable that leverages standard vault call.
>
> Hoping their is a better way to do this / work around someone has.
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/2a0c1819-f4ba-4231-a552-2bdd27d866f9n%40googlegroups.com.
