In a perfect world you should be using shared ssh keys in order to authenticate to your target host, without a password. Also in that perfect world that user should be able to sudo to root without requiring a password. Ah yes perfection ….
For the rest of us here is how to securely store your credentials using Ansibles nifty builtin encrypted vault. You’ll need to type a password to decrypt the vault every time you run the playbook but that’s better than typing 2 passwords on the command line or having them sitting on your hard drive in a plain text file.
- Make the directory that the ansible playbook will automatically import
Note: You don’t feed the playbook an encrypted file. Instead you just encrypt a file that the playbook would normally source I.E. host_vars/group_vars etc..user@workstation:~# mkidr host_vars user@workstation:~# cd host_vars
- Create the encrypted file for the host
user@workstation:~/host_vars# ansible-encrypt create <hostname> Vault password: <My Vault Password> Confirm Vault password: <My Vault Password>
- Enter the secret information into the vault editor
--- ansible_ssh_user: <ssh user> ansible_ssh_pass: <ssh password> ansible_sudo_pass: <sudo password>
- Create a playbook that uses the vault
*The “hosts: ” line should refer to the host in the inventory file whose name matches the hostname of the encrypted file you created* - Execute the playbook with a prompt for the vault password
user@workstation:~/host_vars# ansible-playbook -i <your inventory file> --ask-vault-pass <your playbook>.yml
James Saint-Rossy's Blog About OpenStack 