Hi, We have a couple of hundred Windows hosts, with each host having different credentials (both login and password), which are stored in an on-premise, in-house developed "vault" system. A dream scenario would be to install win32-openssh on all of them, and use ssh key authentication :) however until there's MSI(X) support for win32-openssh and/or it goes out of beta, this is not an option.
We have an API to access our vault, which returns the hostname/username/password for the host. As a workaround now, I've written a simple wrapper for ansible-playbook which works, but the disadvantage is that each host is a new playbook run. I'm looking for a solution to run a playbook, and where ansible polls the hostname/username/password for each alias in the ansible inventory. Tried looking to patch the winrm.py connection plugin, but this didn't work, and I think it would poll for each task that's executed by the winrm plugin instead of only once? Solution I'm using now: ansible hosts file: [windows] L001 L002 L003 ansible-playbook wrapper: #!/bin/bash CONNECTION="ansible_connection=winrm ansible_port=5985 ansible_winrm_transport=credssp" for host in `cat ~/.ansible/hosts` do SECRET=`/opt/scripts/vault-functions/bin/console app:get-admin-credential --tag=$host` HOST=`echo $SECRET | cut -d ';' -f1` LOGIN=`echo $SECRET | cut -d ';' -f2` DOMAIN=`echo $SECRET | cut -d ';' -f3` PWD=`echo $SECRET | cut -d ';' -f4` if [ -z "$DOMAIN" ]; then ansible-playbook -i ~/.ansible/hosts ~/.ansible/windows.yml -e "ansible_host=$HOST ansible_user=$LOGIN ansible_password=$PWD $CONNECTION" else ansible-playbook -i ~/.ansible/hosts ~/.ansible/windows.yml -e "ansible_host=$HOST ansible_user=$LOGIN@$DOMAIN ansible_password=$PWD $CONNECTION" fi done This works, but as stated before this runs an ansible-playbook for each host. Could someone point me in the right direction on how to be able to run an ansible-playbook, upon which ansible does a lookup of the ansible_hostname/ansible_user/ansible-password during the connection phase to the host? Important detail, once a secret is requested from our vault, the password will be reset within a couple of hours. So it's not possible for us to build a static (encrypted) inventory. Building a dynamic inventory is also not desired, because of the large amount of hosts and the time it takes to request the credentials, this would take too long and by the time it's finished, it's possible the credentials of the first hosts have already been reset. So I'm looking for something that can pull data ad-hoc upon the ansible connection, like the wrapper above does, but whilst staying in 1 playbook run ... tips are much appreciated! -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8c5c38f6-1d1a-4e80-a4f7-116e1e00d1c6%40googlegroups.com.