As I have mentioned in the past, the normal way of commutation for Ansible, SSH, is not possible with the NetApp systems.  We use http and https communications.  This however requires a username and password combination for each task run. Interactive playbooks can easily have the passwords left out using variable prompts, but that doesn’t help for automation.  In order to have shareable playbooks, and not reveal or share admin passwords, we turn to the Ansible Vault.

You can use Ansible Vault to encrypt whole playbooks, variable files, or just single variables. It’s the last one we will be doing here.

I want my ONTAP admin account password, netapp123 to be an encrypted hash so I don’t have to share it or store it exposed.

Creating a variable hash is really very simple with ansible-vault.  Using our example password, the command is.

ansible-vault encrypt_string netapp123 –name ‘password’ >> password.yml

When you run this, the vault will prompt you for a decrypt password.  This can be anything, just make sure it’s different than your password you are encrypting or what’s the point.  I am using ‘demo’ for my decrypt.

# ansible-vault encrypt_string netapp123 --name 'password' >> password.yml
New Vault password: demo
Confirm New Vault password: demo
# cat password
password: !vault |
       $ANSIBLE_VAULT;1.1;AES256
       626463353537393465396536303565356266343134636565613662623
       464303163613664333262323964636462376635363861616464316132
       613031366464350a39306465646664353433316362623631383937653
       331653165363762663638633230336430353966613334636366343138
       3035626330323066393161353336340a6436613538653637386632313
       462313233306462323966323438626662633766

Now I will create a plaintext file that has my decrypt password.

# echo demo >> decrypt

Now any playbooks I want to use this will just need to add password.yml as a vars_files entry.

---
- hosts: localhost
  name: Setup ONTAP
  vars:
   hostname: 172.32.0.182
   username: admin
   state: present
  vars_files:
    password.yml

When we call this playbook for automation, we point to the decrypt file for the password to decrypt the hash using a command like this ansible-playbook –vault-id /path/to/my/vault-password-file site.yml

# ansible-playbook --vault-id decrypt myplaybook.yml

This will allow you to share “passwords” without exposing them.

If you have any questions about how this was done, or other ideas about how to protect passwords for the NetApp Ansible modules, join us on our Slack channel #configurationmgmt. If you don’t have an invite to our Slack get one at www.netapp.io/slack.

David Blackwell on Linkedin
David Blackwell
Technical Marketing Engineer at NetApp
David is a twenty year IT veteran who has been an admin for just about every aspect of a DataCenter at one time or another. When not working, or tinkering with new software at home, David spends most of his free with his four year old son and his lovely wife.

Pin It on Pinterest