As I have mentioned in the past, the normal way of commutation for Ansible, SSH, is not possible with the NetApp systems.  We use http and https communications.  This however requires a username and password combination for each task run. Interactive playbooks can easily have the passwords left out using variable prompts, but that doesn’t help for automation.  In order to have shareable playbooks, and not reveal or share admin passwords, we turn to the Ansible Vault.

You can use Ansible Vault to encrypt whole playbooks, variable files, or just single variables. It’s the last one we will be doing here.

I want my ONTAP admin account password, netapp123 to be an encrypted hash so I don’t have to share it or store it exposed.

Creating a variable hash is really very simple with ansible-vault.  Using our example password, the command is.

ansible-vault encrypt_string netapp123 –name ‘password’ >> password.yml

When you run this, the vault will prompt you for a decrypt password.  This can be anything, just make sure it’s different than your password you are encrypting or what’s the point.  I am using ‘demo’ for my decrypt.

# ansible-vault encrypt_string netapp123 --name 'password' >> password.yml
New Vault password: demo
Confirm New Vault password: demo
# cat password
password: !vault |

Now I will create a plaintext file that has my decrypt password.

# echo demo >> decrypt

Now any playbooks I want to use this will just need to add password.yml as a vars_files entry.

- hosts: localhost
  name: Setup ONTAP
   username: admin
   state: present

When we call this playbook for automation, we point to the decrypt file for the password to decrypt the hash using a command like this ansible-playbook --vault-id /path/to/my/vault-password-file site.yml

# ansible-playbook --vault-id decrypt myplaybook.yml

This will allow you to share “passwords” without exposing them.

If you have any questions about how this was done, or other ideas about how to protect passwords for the NetApp Ansible modules, join us on our Slack channel #configurationmgmt. If you don’t have an invite to our Slack get one at

About David Blackwell

David is a twenty year IT veteran who has been an admin for just about every aspect of a DataCenter at one time or another. When not working, or tinkering with new software at home, David spends most of his free time with his six year old son and his lovely wife.

Pin It on Pinterest