Network Automation Engineer: Roger Perkin CCIE 50038

CCIE, Wireless, F5, Ansible, AWS, Cloud and data centre to Network Automation - my journey as a network engineer

Get Started
Home \ Network Automation \ Ansible \ Ansible Network Passwords in 2.3

Ansible Network Passwords in 2.3

In Ansible version 2.2 the network credentials were coded into the playbook which made for a bit of a security issue.

This meant anyone with access to the playbook had access to the user credentials.

In version 2.3 that issue has been resolved and all network credentials have been removed from the playbook.

Ansible network credentials in the Playbook

The simple way to add the credentials into an Ansible playbook was like this

 - name: SAVE AND BACKUP CONFIGS
 ntc_save_config:
 local_file={{ filename }}
 platform=cisco_ios_ssh
 host={{ ansible_hostname }}
 username=roger
 password=roger

The username and password were in clear view for anyone with access to see

The next security step was to use group_vars

Within the playbook you specified provider "{{ cli }}"
 tasks:
 - name: show interfaces
 ios_facts:
 gather_subset: "interfaces"
 provider: "{{ cli }}"

This was then referenced in a group_vars folder where in this case a file called ios.yaml contained the credentials.

ansible_device_os: ios

cli: 
 username: "roger" 
 password: "password123"
 host: "{{ inventory_hostname }}"
 transport: cli

In Ansible 2.3 you don’t need any of this and instead specify the username and password at the time of running the playbook.

I have upgraded my Ansible 2.2 to 2.3 so all the playbooks are currently coded using the above standards. I now get this error

[WARNING]: argument username has been deprecated and will be removed in a future version
[WARNING]: argument host has been deprecated and will be removed in a future version
[WARNING]: argument password has been deprecated and will be removed in a future version

So by removing all username and password information from the playbook you now run it with the following command

Ansible Playbook now looks like this

ansible playbook with no network credentials

Run the Playbook with the new command

ansible-playbook <playbook name> -u <username> -k 

This will prompt you to enter the SSH password

ansible network credentials 2.3

This means that the SSH password is no longer stored anywhere in Ansible

It does mean that you have to enter it each time you run the playbook though!

 

Want to learn more about Network Automation?

Network Automation skills are becoming a must for network engineers of the future. Get started and learn the skills you need for the future with my course on Ansible for Network Engineers Today!

Show me more about the network automation course

Reader Interactions

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

Looking for Ansible Network Automation Training?


Learn how to install Ansible, write your first playbook and start automating your network today.


Network Automation Course

The Author

roger perkin ccie network automation engineer
Roger Perkin, (CCIE #50038) is a Senior Network & Security Consultant.
Currently working for Softcat plc.
Roger is an evangelist for Network Automation and is continuing to develop skills in Ansible and the Devops culture.
Contact

Most Visited Pages

Software Upgrade Guides
Wireless Console Cable
Network Automation Tools 
Bose Connect Windows 10
Private VLANs explained
Cisco ISE Overview

Ansible

Where are Ansible Modules stored
Ansible IOS Command Example
Ansile Backup Cisco Config
How to Install Ansible Tower
Ansible Network Automation Training
Resources

Home Office

Best Vertical Mouse
My Standing Desk
Folding Laptop Stand - Roost

Personal Development

How to Focus

Get Connected