Ansible Network Credentials in 2.3 - Rogers Networking Tutorials

In Ansible version 2.2 the network credentials were coded into the playbook which made for a bit of a security issue.

This meant anyone with access to the playbook had access to the user credentials.

In version 2.3 that issue has been resolved and all network credentials have been removed from the playbook.

Ansible network credentials in the Playbook

The simple way to add the credentials into an Ansible playbook was like this

 - name: SAVE AND BACKUP CONFIGS
 ntc_save_config:
 local_file={{ filename }}
 platform=cisco_ios_ssh
 host={{ ansible_hostname }}
 username=roger
 password=roger

- name: SAVE AND BACKUP CONFIGS

ntc_save_config:

local_file={{ filename }}

platform=cisco_ios_ssh

host={{ ansible_hostname }}

username=roger

password=roger

The username and password were in clear view for anyone with access to see

The next security step was to use group_vars

Within the playbook you specified provider "{{ cli }}"
 tasks:
 - name: show interfaces
 ios_facts:
 gather_subset: "interfaces"
 provider: "{{ cli }}"

Within the playbook you specified provider "{{ cli }}"

tasks:

- name: show interfaces

ios_facts:

gather_subset: "interfaces"

provider: "{{ cli }}"

This was then referenced in a group_vars folder where in this case a file called ios.yaml contained the credentials.

ansible_device_os: ios

cli: 
 username: "roger" 
 password: "password123"
 host: "{{ inventory_hostname }}"
 transport: cli

ansible_device_os: ios

cli:

username: "roger"

password: "password123"

host: "{{ inventory_hostname }}"

transport: cli

In Ansible 2.3 you don’t need any of this and instead specify the username and password at the time of running the playbook.

I have upgraded my Ansible 2.2 to 2.3 so all the playbooks are currently coded using the above standards. I now get this error

<span class="token punctuation">[</span>WARNING<span class="token punctuation">]</span><span class="token punctuation">:</span> argument username has been deprecated and will be removed in a future version
<span class="token punctuation">[</span>WARNING<span class="token punctuation">]</span><span class="token punctuation">:</span> argument host has been deprecated and will be removed in a future version
<span class="token punctuation">[</span>WARNING<span class="token punctuation">]</span><span class="token punctuation">:</span> argument password has been deprecated and will be removed in a future version

[WARNING]: argument username has been deprecated and will be removed in a future version

[WARNING]: argument host has been deprecated and will be removed in a future version

[WARNING]: argument password has been deprecated and will be removed in a future version

So by removing all username and password information from the playbook you now run it with the following command

Ansible Playbook now looks like this

Run the Playbook with the new command

ansible-playbook <playbook name> -u <username> -k

This will prompt you to enter the SSH password

This means that the SSH password is no longer stored anywhere in Ansible

It does mean that you have to enter it each time you run the playbook though!

Ansible Network Passwords in 2.3

Ansible network credentials in the Playbook

Ansible Playbook now looks like this

Run the Playbook with the new command

Want to learn more about Network Automation?

Leave a Reply Cancel reply

The Author

Most Visited Pages

Ansible

Home Office

Ansible network credentials in the Playbook

Ansible Playbook now looks like this

Run the Playbook with the new command

Want to learn more about Network Automation?

Reader Interactions

Related

Leave a Reply Cancel reply

The Author

Most Visited Pages

Ansible

Home Office

Get Connected