Blog/content/post/2016-01-03-Using-Ansible-wi.../index.md

 +++
author = "Blagovest Petrov"
title = "Using Ansible with pass"
date = "2016-01-03"

tags = [
    "Automation",
    "Ansible",
    "Configuration"
]
categories = [
    "System Administration",
    "DevOps"
]
+++  

To work with the root user and ssh keys is a common practice in the Ansible community. Another variant is to use a "deploy" user with the same password on every machine.
Another option is to use [Ansible Vault to encrypt the yaml files](https://therealmarv.com/ansible-vault-file-handling). or to use a password manager. It's never a good idea to keep passwords, private keys and other sensual data to the source code repository.


## Pass

I use [Pass](http://www.passwordstore.org/) for all of my personal or company passwords for almost an year. It's like a Keepass but simpler. The project follows the UNIX philosophy "Do One Thing and Do It Well".
Pass stores every password in a PGP encrypted file in a directory tree. It has also Git integration and Bash/Zsh completion. Really cool! Check the project page or the Man for additional documentation. There was a lighting talk from the 32c3 congress this year. I'll append it when it appears online. 

## Reading sudo passwords from Pass with Ansible

It's really simple. Just use "Lookup" with pipe inside your host_vars/examplehost file, like this:

```yaml
ansible_sudo_pass: "{ { lookup('pipe', 'pass show Inventoryname/hosts/examplehost/myusername') }}"
```

And append `sudo: yes` to every command in the tasks, like this:

```
- name: Just a test task
  copy: src=/etc/passwd dest=/tmp/passwdfile
  sudo: yes
```

You should also use gpg-agent. Otherwise, Ansible will ask for the gpg key password for each operation.
Added the post about Ansible with pass Signed-off-by: Blagovest Petrov <blagovest@petrovs.info> 4 years ago			`+++`
			`author = "Blagovest Petrov"`
			`title = "Using Ansible with pass"`
			`date = "2016-01-03"`

			`tags = [`
			`"Automation",`
			`"Ansible",`
			`"Configuration"`
			`]`
			`categories = [`
			`"System Administration",`
			`"DevOps"`
			`]`
			`+++`

			`To work with the root user and ssh keys is a common practice in the Ansible community. Another variant is to use a "deploy" user with the same password on every machine.`
			`Another option is to use [Ansible Vault to encrypt the yaml files](https://therealmarv.com/ansible-vault-file-handling). or to use a password manager. It's never a good idea to keep passwords, private keys and other sensual data to the source code repository.`


			`## Pass`

			`I use [Pass](http://www.passwordstore.org/) for all of my personal or company passwords for almost an year. It's like a Keepass but simpler. The project follows the UNIX philosophy "Do One Thing and Do It Well".`
			`Pass stores every password in a PGP encrypted file in a directory tree. It has also Git integration and Bash/Zsh completion. Really cool! Check the project page or the Man for additional documentation. There was a lighting talk from the 32c3 congress this year. I'll append it when it appears online.`

			`## Reading sudo passwords from Pass with Ansible`

			`It's really simple. Just use "Lookup" with pipe inside your host_vars/examplehost file, like this:`

			```yaml
			`ansible_sudo_pass: "{ { lookup('pipe', 'pass show Inventoryname/hosts/examplehost/myusername') }}"`
			```

			And append `sudo: yes` to every command in the tasks, like this:

			```
			`- name: Just a test task`
			`copy: src=/etc/passwd dest=/tmp/passwdfile`
			`sudo: yes`
			```

			`You should also use gpg-agent. Otherwise, Ansible will ask for the gpg key password for each operation.`