In Ansible version 2.2 the network credentials were coded into the playbook which made for a bit of a security issue.
This meant anyone with access to the playbook had access to the user credentials.
In version 2.3 that issue has been resolved and all network credentials have been removed from the playbook.
Ansible network credentials in the Playbook
The simple way to add the credentials into an Ansible playbook was like this
- name: SAVE AND BACKUP CONFIGS ntc_save_config: local_file={{ filename }} platform=cisco_ios_ssh host={{ ansible_hostname }} username=roger password=roger
The username and password were in clear view for anyone with access to see
The next security step was to use group_vars
Within the playbook you specified provider "{{ cli }}" tasks: - name: show interfaces ios_facts: gather_subset: "interfaces" provider: "{{ cli }}"
This was then referenced in a group_vars folder where in this case a file called ios.yaml contained the credentials.
ansible_device_os: ios cli: username: "roger" password: "password123" host: "{{ inventory_hostname }}" transport: cli
In Ansible 2.3 you don’t need any of this and instead specify the username and password at the time of running the playbook.
I have upgraded my Ansible 2.2 to 2.3 so all the playbooks are currently coded using the above standards. I now get this error
[WARNING]: argument username has been deprecated and will be removed in a future version
[WARNING]: argument host has been deprecated and will be removed in a future version
[WARNING]: argument password has been deprecated and will be removed in a future version
So by removing all username and password information from the playbook you now run it with the following command
Ansible Playbook now looks like this
Run the Playbook with the new command
ansible-playbook <playbook name> -u <username> -k
This will prompt you to enter the SSH password
This means that the SSH password is no longer stored anywhere in Ansible
It does mean that you have to enter it each time you run the playbook though!
Leave a Reply