Ansible mock exams 1 q1

I can’t seem to figure out how to encrypt the password for the first question.
the closest
ansible-vault encrypt_string ‘d3v3l0p3r’ --vault-password-file=secrets/vault.txt
and
ansible-vault encrypt_string --vault-password-file=secrets/vault.txt ‘d3v3l0p3r’ --name ‘dev_pass’
and more but none gave me answer (or at list one that worked).

I would love some help

Hi @alonbn22,

Please look for answers in /tmp/hassets/answers/ on ansible controller host.

I suspect something has changed with the user module since this mock exam question was created. I spent 2 hours working through this one question and dearly hope I don’t have to have this level of Ansible knowledge for the exam–good practice though :stuck_out_tongue:

So, because the vaulted password becomes plaintext when called, and the user module requires a hashed password you have to use a filter. Because of some deeper issues you have to use the string filter before password_hash:

Snippet:

- name: Add and configure admin users
  user:
    name: "{{ item }}"
    password: "{{ admin_pass | string | password_hash('sha512') }}"
    groups: wheel
  loop: "{{ users.admins }}"

Full playbook with some debugging output for context:

---
- name: Add and configure users
  hosts: node00
  vars:
    admin_pass: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          32666132323233363435623530336538363562303930656662363631353766643264393765646433
          3464646335663238663766383338353766376363333533370a656331396230623439646439356366
          61643466393863353864313864343464363262393433663834653635653735663961346263313865
          6339623532353264320a323737646265373265366233366534376234363238396561656266626438
          3265
    developer_pass: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          35393832663964376264306639373839386262643964623139633335643938313739373239633862
          3838626334376232393536633233613636303334623563300a663666333837383630316632646165
          65366136616562626665313833643837396262393439326633346139636532656561613035386438
          3736313830313030350a636463343864623962363931303931636366363633373533666562653764
          3334
  tasks:

    - name: Include users
      include_vars:
        file: ~/playbooks/data/users.yml
        name: users

    - name: Show users
      debug:
        var: users

    - name: Show admin password decrypted from vault
      debug:
        var: admin_pass

    - name: Show hashed admin password
      debug:
        msg: "{{ admin_pass | string | password_hash('sha512') }}"

    - name: Add and configure admin users
      user:
        name: "{{ item }}"
        password: "{{ admin_pass | string | password_hash('sha512') }}"
        groups: wheel
      loop: "{{ users.admins }}"

    - name: Add and configure developer users
      user:
        name: "{{ item }}"
        password: "{{ developer_pass | string | password_hash('sha512') }}"
        home: /var/www
      loop: "{{ users.developers }}"

Ansible Output

thor@ansible-controller ~/playbooks$ ansible-playbook -i inventory add_users.yml --check

PLAY [Add and configure users] ***********************************************************************************

TASK [Include users] *********************************************************************************************
ok: [node00]

TASK [Show users] ************************************************************************************************
ok: [node00] => {
    "users": {
        "admins": [
            "rob",
            "david",
            "joy"
        ],
        "developers": [
            "tim",
            "ray"
        ]
    }
}

TASK [Show admin password decrypted from vault] ******************************************************************
ok: [node00] => {
    "admin_pass": "adm$n$"
}

TASK [Show hashed admin password] ********************************************************************************
ok: [node00] => {
    "msg": "$6$cuK0bEpla1xxAJ6y$Bk.m12c5yY5If9JY7o7eyrDfP1qICLPyvIJL7a.xAtiJiLloGuYWwSC4isJyAdQnml4efrcNupyDBtPFwetYj."
}

TASK [Add and configure admin users] *****************************************************************************
changed: [node00] => (item=rob)
changed: [node00] => (item=david)
changed: [node00] => (item=joy)

TASK [Add and configure developer users] *************************************************************************
changed: [node00] => (item=tim)
changed: [node00] => (item=ray)

PLAY RECAP *******************************************************************************************************
node00                     : ok=6    changed=2    unreachable=0    failed=0

Possible errors for reference:

This first error means you are sending a plaintext password (or one that has been decrypted from ansible-vault):

[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.

This second error happens on some (all?) versions of Ansible (2.7.10 currently in the Mock Exam 1 labs) when you use {{ variable | password_hash('sha512') }} without the string filter in between (for more details see https://github.com/ansible/ansible/issues/24425). I can’t tell if it’s been fixed or if the string filter is the appropriate method going forward.

fatal: [node00]: FAILED! => {"msg": "Unexpected templating type error occurred on ({{ admin_pass | password_hash('sha512')}}): must be string, not AnsibleVaultEncryptedUnicode"}

thank you so much :slight_smile:

You’re welcome! I actually ran into a question on the exam that required this information…