Hi,
We have a couple of hundred Windows hosts, with each host having different
credentials (both login and password), which are stored in an on-premise,
in-house developed "vault" system.
A dream scenario would be to install win32-openssh on all of them, and use
ssh key authentication :) however until there's MSI(X) support for
win32-openssh and/or it goes out of beta, this is not an option.
We have an API to access our vault, which returns the
hostname/username/password for the host.
As a workaround now, I've written a simple wrapper for ansible-playbook
which works, but the disadvantage is that each host is a new playbook run.
I'm looking for a solution to run a playbook, and where ansible polls the
hostname/username/password for each alias in the ansible inventory.
Tried looking to patch the winrm.py connection plugin, but this didn't
work, and I think it would poll for each task that's executed by the winrm
plugin instead of only once?
Solution I'm using now:
ansible hosts file:
[windows]
L001
L002
L003
ansible-playbook wrapper:
#!/bin/bash
CONNECTION="ansible_connection=winrm ansible_port=5985
ansible_winrm_transport=credssp"
for host in `cat ~/.ansible/hosts`
do
SECRET=`/opt/scripts/vault-functions/bin/console
app:get-admin-credential --tag=$host`
HOST=`echo $SECRET | cut -d ';' -f1`
LOGIN=`echo $SECRET | cut -d ';' -f2`
DOMAIN=`echo $SECRET | cut -d ';' -f3`
PWD=`echo $SECRET | cut -d ';' -f4`
if [ -z "$DOMAIN" ]; then
ansible-playbook -i ~/.ansible/hosts ~/.ansible/windows.yml -e
"ansible_host=$HOST ansible_user=$LOGIN ansible_password=$PWD $CONNECTION"
else
ansible-playbook -i ~/.ansible/hosts ~/.ansible/windows.yml -e
"ansible_host=$HOST ansible_user=$LOGIN@$DOMAIN ansible_password=$PWD
$CONNECTION"
fi
done
This works, but as stated before this runs an ansible-playbook for each
host.
Could someone point me in the right direction on how to be able to run an
ansible-playbook, upon which ansible does a lookup of the
ansible_hostname/ansible_user/ansible-password during the connection phase
to the host?
Important detail, once a secret is requested from our vault, the password
will be reset within a couple of hours. So it's not possible for us to
build a static (encrypted) inventory.
Building a dynamic inventory is also not desired, because of the large
amount of hosts and the time it takes to request the credentials, this
would take too long and by the time it's finished, it's possible the
credentials of the first hosts have already been reset.
So I'm looking for something that can pull data ad-hoc upon the ansible
connection, like the wrapper above does, but whilst staying in 1 playbook
run ... tips are much appreciated!
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/8c5c38f6-1d1a-4e80-a4f7-116e1e00d1c6%40googlegroups.com.
