Ansible Create Users and Groups, HELP

I have a tasks with ansible and struggle with fail witch is under data/users.yml

anyone can help me!!! I don’t how to iterate this dict
I try with this -

  • hosts: web
    become: yes
    tasks:
    • name: Include users and groups from data/users.yml
      include_vars:
      dir: data/users.yml

    • name: add users admins
      user:
      name: “{{ item.value }}”
      groups: " {{ item.key }}"
      password: “123456”
      state: present
      with_dict: “{{ admins }}”

anyone see this? I get a warning saying ASK [Create admin users with default home directory] **************************************************************************************************************
ok: [stapp01] => (item=rob)
ok: [stapp01] => (item=david)
ok: [stapp01] => (item=joy)
[WARNING]: The input password appears not to have been hashed. The ‘password’ argument must be encrypted for this module to work properly.

TASK [Create developer users with home directory /var/www] *********************************************************************************************************
ok: [stapp01] => (item=tim)
ok: [stapp01] => (item=ray)
ok: [stapp01] => (item=jim)
ok: [stapp01] => (item=mark)

I config the ansible.cfg with the following variable:vault_password_file = ./secrets/vault.txt

in playbook, i have this:

  • name: Create admin users with default home directory
    user:
    name: “{{ item }}”
    group: “admins”
    password: “GyQkFRVNr3”
    createhome: yes
    state: present
    with_items: ‘{{ admins }}’

can anyone see whatelse can i do to fulfill this requirement:
e. Set password Rc5C9EyvbU for all users under developers group and GyQkFRVNr3 for users under admins group. Make sure to use the password given in ~/playbooks/secrets/vault.txt file as Ansible vault password to encrypt the original password strings. You can use ~/playbooks/secrets/vault.txt file as vault secret file while running the playbook (make necessary changes in ~/playbooks/ansible.cfg file).

@Inderpreet @andrzej please help … :slight_smile: :innocent: :innocent:

You have to define valut.txt file while executing ansible-playbook -i inventory playbook.yml?

you have to hash the password; otherwise you can’t login to the user. That password should be encrypted with vault.txt

@Devops @player001

It ask to config the vault.tx to ansible.cfg, ask not to use the command line when running with the playbook. I thought if set the config vault file path, ansible would know to hash the password? any other configuration that i need to modify? or should i encrypt the password first, then add the hash to the password field in the playbook?

cat ansible.cfg
[defaults]
inventory = ~/playbooks/inventory
vault_password_file = ~/playbooks/secrets/vault.txt

Yes exactly as what you wrote. ansible.cfg is ok and you to need first encrypt password with vault.txt then hash this encrypted password.
There is a tricky here in converting vault password to hashed one.

@Devops
thank you for your help, finally understand what you mean about hash the password. cheer cheer!

 password:  "{{ 'YchZHRcLkL' | password_hash ('sha512') }}"

Here is the tricky point. If you apply this you will fail the task because password is not encrypted; it’s just hashed.

I think we need to use below command:

thor@jump_host ~/playbooks$ ansible-vault encrypt add_users.yml

Encryption successful

thor@jump_host ~/playbooks$

And run your playbook.

Here you encrypt the whole playbook not only the user’s password as required by the task

@Devops How to encrypt only the user’s password here? And idea please?

eg. Create new ansible vault file under group_vars and put password value there.

@Devops
do you mean to use command line
ansible-vault encrypt_string ‘YchZHRcLkL’ --vault-password-file ./secrets/vault.txt ’ --name ‘admin_password’, then put the long gubberly encrypted chars into the password field to replace the string ‘YchZHRcLkL’, like
password: "{{ admin_password | password_hash (‘sha512’) }}?

then what is the line in ansible.cfg do?

ansible.cfg
[defaults]
vault_password_file = ~/playbooks/secrets/vault.txt

I thought to put the vault_password_file here , when run the playbook, ansible will look for the password field to encrypted without passing the command line encryption first. no?

what is your trick? :innocent: :innocent:

But this gives error.
password_hash() function does not takes vault encrypted password

what’s the correct way then? @Devops @andrzej

Did you manage to crack it @Jenna?

You need to add a string conversion filter. {{ admin_password | string | password_hash(‘sha512’) }}

The vault_password_file is used to decrypt your encrypted string. Without it ansible doesn’t know how to transform your encrypted password in a plain text one

i did just that, and it passed.

password: “{{ ‘YchZHRcLkL’ | password_hash (‘sha512’) }}”

Firstly run command to gennerate the encrypted password:

ansible-vault encrypt_string ‘YchZHRcLkL’ --vault-password-file=/home/thor/playbooks/secrets/vault.txt

set the source for vault-password-file in ansible.cfg.

Then present to the add_users.yml file as below:


  • hosts: stapp01 #change to your hosts
    become: yes
    vars:
    my_secret: !vault |
    $ANSIBLE_VAULT;1.1;AES256
    66633334356235626435303233646465366666663464636437336637663139303032316639393837
    3637656263326236303836653162656539653762613330630a353865383861353661346230383637
    2383732623863343063376537393866383462626462393162393964373736333334666664663961 6432383166333434390a626630373138346634343037383832613934343032336138383033616535
    3861
    • name: Add the user rob
      user:
      name: rob
      comment: rob
      groups: admins,wheel
      password: {{my_secret}}