Univers Libre

[Ansible] sudo password from your password manager or agent

Written on 29 March 2019, 21:47 CET
Tags: ansible, sysadmin, tech.

Make Ansible retrieve the sudo password from my password manager. For a long time, I was wondering how to solve this issue. Ansible is my main tool to manage my own servers. All the infrastructure of the Services FACiLes project I contribute to (a future CHATONS is built with Ansible automation in mind, and even at my previous work, Ansible is used on a daily basis.

A thing that really annoyed me was that each time I run a playbook, I have to give Ansible my sudo password. Besides that, Ansible prompts for the password at an early stage of execution, even before trying to include all files or running a syntax check on them. Thus it isn't uncommon that Ansible fails immediately after because of a mistake I made in a playbook, and I have fix it, rerun the command, reenter my password… and so on. Which is very frustrated.

I know some workarounds exist to avoid dealing with the interactive sudo password prompt: allowing Ansible to be executed without password on the servers (almost equivalent to allowing any command to be executed without password…, which is not an acceptable answer), storing your password into ansible_sudo_pass variable in a cleartext file somewhere (yes you can encrypt it with ansible-vault but then you have to give the vault password each time you run your playbook), trying to mess with except

The simple and elegant way of doing it for me would be that Ansible gets the password from an agent, like gpg-agent, or execute an arbitrary command to get it. After a lot of research and experimentation, I found a pretty nice and clever solution on Stackoverflow (far at the bottom, it should be upvoted more than that IMHO). The idea is to combine --extra-var ansible option (to which a file descriptor can be passed, while prefixing it with @) and <() bash operator to convert a command's stdout to a file virtual file descriptor. We end up with the following command:

$ ansible-playbook -e@<(echo "ansible_sudo_pass: $(pass Sysadmin/xxxx)") playbook.yml

This way my sudo password is retrieved from my pass's password manager (which uses gpg-agent) and I'm not bothered anymore with Ansible's interactive prompt \o/.

The only drawback is that I didn't find a way to set this into the ansible.cfg or somewhere else, except writing a bash alias or a small wrapper.