Ad-hoc ansible command with vault


(Ansible version is 2.5.0 control machine is linux as are clients)

I want to use ansible's ad-hoc mode with a group_vars file which is vault-encrypted. The group_vars file is called local_vms.yml, and looks like this:

  1 ---                           
  2 vars:                         
  3   - pass: a_password
  4   - ansible_user: grahamn     
  5   - ansible_ssh_pass: "{{ pass }}"  

So the inventory contains a group called local_vms and is in the current directory, and the local_vms.yml file is in a subdir called group_vars.

I run like so:

ansible -m command -a"uname" -ihosts local_vms

the variable ANSIBLE_VAULT_PASSWORD_FILE is exported as the path to a well-secured (and out of the git tree) file.

I know that the vault encrypted file is being decrypted and used, because if I modify the ansible_user value, it uses the modified value (and errors as I don't have that user set up).

The command runs OK for the host where I have authorised_keys setup, but not for the one where I have deliberately removed it – so it's ignoring the value for ansible_ssh_pass.

If I increase verbosity, I note that the ssh command contains the string "PasswordAuthentication=no", so I add the appropriate option:

ansible -vvv -i hosts -m command -auname local_vms --ssh-common-args="PasswordAuthentication=yes"

and get this error:
Could not resolve hostname passwordauthentication=yes:

As an aside, /etc/ssh/sshd_config remotely, and /etc/ssh/ssh_config are both configured to allow the use of passwords. ssh root@influx prompts for the password, and logs on successfully.

So, it it possible to use ad-doc mode with the username and password set as variables in a vault, and if so, what am I doing wrong. Thanks.

A bit of background: I like the light-touch approach to admin – you should try to log on to servers as little as possible. I'm wondering if the approach of doing everything with ansible is viable. Initially, commands could be (as here) ad-hoc, but later we would build up playbooks for everything we need to do. I hate manual interventions on servers, and sadly, puppet is often in noop (and anyway, I prefer ansible).


Editing the command into this:

 ansible -m command -a whoami ...

shows that even if the group_vars.yml file sets ansible_user to root, it is not being used. So now I'm confused. Can I not set ansible_user in a group_vars file? The group_vars file should be in a directory below the inventory file, with the name of the group (+.yml if necessary) – where the directory name is "group_vars".

Running strace on the ansible run shows that it does indeed open the group_vars/local_vms.yml file, and this:

$ ansible -i hosts -m command -awhoami local_vms  -u root -k
SSH password: 
ubuntus01 | SUCCESS | rc=0 >>

influx | SUCCESS | rc=0 >>

centoss02 | SUCCESS | rc=0 >>

grafana | SUCCESS | rc=0 >>

works as you can see.

I'm now wondering if my approach is wrong. I want to be able to use vault for my authentication with both playbooks and ad-hoc commands – is that even possible?

Best Answer

The problem was with the format of my group_vars file. With the file like this:

1 ---
3 pass: areallygoodpassword
4 ansible_user: root
5 ansible_ssh_pass: "{{ pass }}"

Everything works perfectly.

The only thing left to do is to upvote my answer.