Skip to main content

mmoya's blog

Looking up encrypted passwords in ansible

Ansible 1.2 is out of the door. Go and check the changelog to see how many new features and fixes this version brings, my favorites being the new {{ }} syntax for variable substitution and support for roles. This version also includes a patch I submitted for adding encryption support to password lookup plugin.

In case you weren’t aware, ansible 1.1 gained support for generating random passwords as a lookup plugin. A useful trick that allowed to generate a random password in any point of a playbook without losing idempotence. An example of its use (taken from official docs):

- hosts: all
    # create a mysql user with a random password
    - mysql_user: name={{ client }}
                  password="{{ lookup('password', 'credentials/' + client + '/' + tier + '/' + role + '/mysqlpassword length=15') }}"
                  priv={{ client }}_{{ tier }}_{{ role }}.*:ALL

but there are some modules, most notably user, that expect an encrypted password. For such modules the password lookup was unusable because it always returned plaintext.

With ansible 1.2 you can pass the encrypt parameter to password lookup to get an encrypted password instead of a plain one. In this mode the salt will be save along the password itself to ensure the same hash is returned each time a lookup is requested. An example:

- hosts: all
    # create an user with a random password
    - user: name=guestuser
            password={{ item }}
      with_password: credentials/{{ hostname }}/userpassword encrypt=sha256_crypt

I expect the main use case for this feature is feeding user module for defining users. If this is the case, you should use one of the standard unix schemes of passlib.