As I have mentioned in the past, the normal way of commutation for Ansible, SSH, is not possible with the NetApp systems. We use http and https communications. This however requires a username and password combination for each task run. Interactive playbooks can easily have the passwords left out using variable prompts, but that doesn’t help for automation. In order to have shareable playbooks, and not reveal or share admin passwords, we turn to the Ansible Vault.
You can use Ansible Vault to encrypt whole playbooks, variable files, or just single variables. It’s the last one we will be doing here.
I want my ONTAP admin account password,
netapp123 to be an encrypted hash so I don’t have to share it or store it exposed.
Creating a variable hash is really very simple with ansible-vault. Using our example password, the command is.
ansible-vault encrypt_string netapp123 –name ‘password’ >> password.yml
When you run this, the vault will prompt you for a decrypt password. This can be anything, just make sure it’s different than your password you are encrypting or what’s the point. I am using ‘demo’ for my decrypt.
# ansible-vault encrypt_string netapp123 --name 'password' >> password.yml New Vault password: demo Confirm New Vault password: demo # cat password password: !vault | $ANSIBLE_VAULT;1.1;AES256 626463353537393465396536303565356266343134636565613662623 464303163613664333262323964636462376635363861616464316132 613031366464350a39306465646664353433316362623631383937653 331653165363762663638633230336430353966613334636366343138 3035626330323066393161353336340a6436613538653637386632313 462313233306462323966323438626662633766
Now I will create a plaintext file that has my decrypt password.
# echo demo >> decrypt
Now any playbooks I want to use this will just need to add password.yml as a vars_files entry.
--- - hosts: localhost name: Setup ONTAP vars: hostname: 220.127.116.11 username: admin state: present vars_files: password.yml
When we call this playbook for automation, we point to the decrypt file for the password to decrypt the hash using a command like this ansible-playbook –vault-id /path/to/my/vault-password-file site.yml
# ansible-playbook --vault-id decrypt myplaybook.yml
This will allow you to share “passwords” without exposing them.
If you have any questions about how this was done, or other ideas about how to protect passwords for the NetApp Ansible modules, join us on our Slack channel #configurationmgmt. If you don’t have an invite to our Slack get one at www.netapp.io/slack.