Specify sudo password for Ansible

Question

How do I specify a sudo password for Ansible in non-interactive way   I m running Ansible playbook like this     ansible-playbook playbook yml -i inventory ini       --user username --ask-sudo-pass   But I want to run it like this     ansible-playbook playbook yml -i inventory ini       --user username    --sudo-pass 12345     Is there a way  I want to automate my project deployment as much as possible

User · Answer

After five years  I can see this is still a very relevant subject  Somewhat mirroring leucos s answer which I find the best in my case  using ansible tools only  without any centralised authentication  tokens or whatever   This assumes you have the same username and the same public key on all servers  If you don t  of course you d need to be more specific and add the corresponding variables next to the hosts    all vars  ansible ssh user ansible ansible ssh private key file home user  ssh mykey  group  192 168 0 50 ansible sudo pass     myserver sudo      ansible-vault create mypasswd yml ansible-vault edit mypasswd yml   Add   myserver sudo  mysecretpassword   Then   ansible-playbook -i inv ini my role yml --ask-vault --extra-vars   passwd yml    At least this way you don t have to write more the variables which point to the passwords

User · Answer

The docs strongly recommend against setting the sudo password in plaintext  and instead using --ask-sudo-pass on the command line when running ansible-playbook    2016 Update   Ansible 2 0  not 100  when  marked --ask-sudo-pass as deprecated  The docs now recommend using --ask-become-pass instead  while also swapping out the use of sudo throughout your playbooks with become

User · Answer

You can use sshpass utility as below     sshpass -p  your pass  ansible pattern -m module -a args      -i inventory --ask-sudo-pass

User · Answer

you can write sudo password for your playbook in the hosts file like this    host-group-name  host-name port ansible sudo pass   your-sudo-password

User · Answer

This worked for me    Created file  etc sudoers d 90-init-users file with NOPASSWD  echo  user ALL  ALL        NOPASSWD ALL   gt  90-init-users   where  user  is your  userid

User · Answer

we Can also Use EXPECT BLOCK in ansible to spawn bash and customize it as per your needs  - name  Run expect to INSTALL TA   shell        set timeout 100     spawn  bin sh -i      expect -re          send  sudo yum remove -y xyz n       expect          send  sudo yum localinstall -y    rpm remotehost path for xyz    n       expect            send   n       exit 0   args    executable   usr bin expect

User · Answer

Looking at the code  runner   init   py   I think you can probably set it in your inventory file     whatever  some-host ansible sudo pass  foobar    There seem to be some provision in ansible cfg config file too  but not implemented right now  constants py

User · Answer

You can use ansible vault which will code your password into encrypted vault  After that you can use variable from vault in playbooks    Some documentation on ansible vault  http   docs ansible com playbooks vault html  We are using it as vault per environment  To edit vault we have command as  ansible-vault edit inventories production group vars all vault  If you want to call vault variable you have to use ansible-playbook with parameters like  ansible-playbook -s --vault-password-file    ansible vault password  Yes we are storing vault password in local directory in plain text but it s not more dangerous like store root password for every system  Root password is inside vault file or you can have it like sudoers file for your user group   I m recommending to use sudoers file on the server  Here is example for group admin   admin    ALL  ALL  NOPASSWD ALL

User · Answer

If you are comfortable with keeping passwords in plain text files  another option is to use a JSON file with the --extra-vars parameter  be sure to exclude the file from source control    ansible-playbook --extra-vars   private vars json  playbook yml    Ansible has supported this option since 1 3

User · Answer

If you are using the pass password manager  you can use the module passwordstore  which makes this very easy  Let s say you saved your user s sudo password in pass as  Server1 User  Then you can use the decrypted value like so    lookup  community general passwordstore    Server1 User     quot   I use it in my inventory  ---    servers       hosts         server1           ansible become pass   quot    lookup  community general passwordstore    Server1 User     quot   Note that you should be running gpg-agent so that you won t see a pinentry prompt every time a  become  task is run

User · Answer

A more savvy way to do this is to store your sudo password in a secure vault such as LastPass or KeePass and then pass it to ansible-playbook using the -e  but instead of hardcoding the contents in an actual file  you can use the construct -e  lt       to run a command in a sub-shell  and redirect its output  STDOUT  to a anonymous file descriptor  effectively feeding the password to the -e  lt        Example    ansible-playbook -i  tmp hosts pb yml      -e  lt  echo  ansible sudo pass    lpass show folder1 item1 --password      The above is doing several things  let s break it down    ansible-playbook -i  tmp hosts pb yml - obviously running a playbook via ansible-playbook   lpass show folder1 item1  --password   - runs the LastPass CLI lpass and retrieves the password to use echo  ansible sudo pass     password     - takes the string  ansible sudo pass    and combines it with the password supplied by lpass -e  lt      - puts the above together  and connects the subshell of  lt       as a file descriptor for ansible-playbook to consume    Further improvements  If you d rather not type that every time you can simply things like so  First create an alias in your  bashrc like so     cat    bashrc alias asp  echo  ansible sudo pass    lpass show folder1 item1 --password      Now you can run your playbook like this     ansible-playbook -i  tmp hosts pb yml -e  lt  asp    References   https   docs ansible com ansible 2 4 ansible-playbook html cmdoption-ansible-playbook-e

User · Answer

Using ansible 2 4 1 0 and the following shall work    all  17 26 131 10 17 26 131 11 17 26 131 12 17 26 131 13 17 26 131 14   all vars  ansible connection ssh ansible user per ansible ssh pass per ansible sudo pass per   And just run the playbook with this inventory as   ansible-playbook -i inventory copyTest yml

User · Answer

You can set the password for a group or for all servers at once    all vars  ansible sudo pass default sudo password for all hosts   group1 vars  ansible sudo pass default sudo password for group1

User · Answer

My hack to automate this was to use an environment variable and access it via --extra-vars  ansible become pass     lookup  env    ANSIBLE BECOME PASS          Export an env var  but avoid bash shell history  prepend with a space  or other methods   E g         export ANSIBLE BECOME PASS   lt your password gt     Lookup the env var while passing the extra ansible become pass variable into the ansible-playbook  E g    ansible-playbook playbook yml -i inventories dev hosts yml -u user --extra-vars  ansible become pass     lookup  env    ANSIBLE BECOME PASS          Good alternate answers     toast38coza  simply use a vaulted value for ansible become pass  This is decent  However  for the paranoid teams that need to share ansible vault passwords  and execute ansible plays with induvidual accounts  they coudld use the shared vault password to reverse each others operating system password  identiy theft   Arguably  you need to trust your own team   slm s bash subshell output generated to temp file descriptor and using the   prefix to read the ansible variable from the file desriptor  Avoids bash history at least  Not sure  but hopefully subshell echo doesn t get caught and exposed in audit logging  e g  auditd

User · Answer

The sudo password is stored as a variable called ansible sudo pass   You can set this variable in a few ways   Per host  in your inventory hosts file  inventory  lt inventoryname gt  hosts     server  10 0 0 0 ansible sudo pass foobar   Per group  in your inventory groups file  inventory  lt inventoryname gt  groups    server vars  ansible sudo pass foobar   Per group  in group vars  group vars  lt groupname gt  ansible yml   ansible sudo pass   foobar    Per group  encrypted  ansible-vault create group vars  lt groupname gt  ansible yml   ansible sudo pass   foobar

User · Answer

Very simple  and only add in the variable file   Example     vim group vars all   And add these   Ansible connection  ssh Ansible ssh user  rafael Ansible ssh pass  password123 Ansible become pass  password123

User · Answer

Just an addendum  so nobody else goes through the annoyance I recently did   AFAIK  the best solution is one along the general lines of toast38coza s above   If it makes sense to tie your password files and your playbook together statically  then follow his template with vars files  or include vars    If you want to keep them separate  you can supply the vault contents on the command line like so   ansible-playbook --ask-vault-pass -e  lt PATH TO VAULT FILE gt   lt PLAYBOOK FILE gt    That s obvious in retrospect  but here are the gotchas    That bloody   sign   If you leave it out  parsing will fail silently  and ansible-playbook will proceed as though you d never specified the file in the first place  You must explicitly import the contents of the vault  either with a command-line --extra-vars -e or within your YAML code   The --ask-vault-pass flag doesn t do anything by itself  besides prompt you for a value which may or may not be used later     May you include your    s and save an hour

User · Answer

You can pass variable on the command line via --extra-vars  name value   Sudo password variable is ansible sudo pass  So your command would look like   ansible-playbook playbook yml -i inventory ini --user username                                 --extra-vars  ansible sudo pass yourPassword    Update 2017  Ansible 2 2 1 0 now uses var ansible become pass  Either seems to work

User · Answer

I don t think ansible will let you specify a password in the flags as you wish to do  There may be somewhere in the configs this can be set but this would make using ansible less secure overall and would not be recommended   One thing you can do is to create a user on the target machine and grant them passwordless sudo privileges to either all commands or a restricted list of commands   If you run sudo visudo and enter a line like the below  then the user  privilegedUser  should not have to enter a password when they run something like sudo service xxxx start    privilegedUser ALL  NOPASSWD   usr bin service

User · Answer

Just call your playbook with --extra-vars  become pass Password   become pass   ansible become password    ansible become pass

User · Answer

I was tearing my hair out over this one  now I found a solution which does what i want   1 encrypted file per host containing the sudo password   etc ansible hosts    all vars  ansible ssh connection ssh ansible ssh user myuser ansible ssh private key file    ssh id rsa   some service group  node-0 node-1   then you create for each host an encrypted var-file like so   ansible-vault create  etc ansible host vars node-0   with content  ansible sudo pass   my sudo pass for host node-0    how you organize the vault password  enter via --ask-vault-pass  or by cfg is up to you  based on this i suspect you can just encrypt the whole hosts file

User · Answer

Ansible vault has been suggested a couple of times here  but I prefer git-crypt for encrypting sensitive files in my playbooks   If you re using git to keep your ansible playbooks  it s a snap   The problem I ve found with ansible vault is that I inevitably end up coming across encrypted copies of the file that I want to work with and have to go decrypt it before I can work   git-crypt offers a nicer workflow IMO    https   github com AGWA git-crypt   Using this  you can put your passwords in a var in your playbook  and mark your playbook as an encrypted file in  gitattributes like this    my playbook yml filter git-crypt diff git-crypt   Your playbook will be transparently encrypted on Github  Then you just need to either install your encryption key on the host you use to run ansible  or follow the instruction on the documentation to set it up with gpg   There s a good Q amp A on forwarding gpg keys like your ssh-agent forwards SSH keys here  https   superuser com questions 161973 how-can-i-forward-a-gpg-key-via-ssh-agent

User · Answer

Above solution by  toast38coza worked for me  just that sudo  yes is deprecated in Ansible now  Use become and become user instead   tasks   - name  Restart apache service    service  name apache2 state restarted    become  yes    become user  root

User · Answer

Probably the best way to do this - assuming that you can t use the NOPASSWD solution provided by scottod is to use Mircea Vutcovici s solution in combination with Ansible vault    For example  you might have a playbook something like this       - hosts  all    vars files      - secret    tasks      - name  Do something as sudo       service  name nginx state restarted       sudo  yes   Here we are including a file called secret which will contain our sudo password    We will use ansible-vault to create an encrypted version of this file   ansible-vault create secret   This will ask you for a password  then open your default editor to edit the file  You can put your ansible sudo pass in here    e g   secret   ansible sudo pass  mysudopassword   Save and exit  now you have an encrypted secret file which Ansible is able to decrypt when you run your playbook  Note  you can edit the file with ansible-vault edit secret  and enter the password that you used when creating the file   The final piece of the puzzle is to provide Ansible with a --vault-password-file which it will use to decrypt your secret file   Create a file called vault txt and in that put the password that you used when creating your secret file  The password should be a string stored as a single line in the file   From the Ansible Docs         ensure permissions on the file are such that no one else can access your key and do not add your key to source control   Finally  you can now run your playbook with something like  ansible-playbook playbook yml -u someuser -i hosts --sudo --vault-password-file vault txt    The above is assuming the following directory layout        playbook yml    secret    hosts    vault txt   You can read more about Ansible Vault here  https   docs ansible com playbooks vault html

[ansible] Specify sudo password for Ansible

Examples related to ansible