Blog/source/_posts/2016-01-03-Using-Ansible-wi...

title: Using Ansible with pass
date: 2016-01-03 02:13:54
tags: ansible, pass, passwordstore, DevOps, Security
---

To work with the root user and ssh keys is a common practice in the Ansible community. Another variant is to use a "deploy" user with the same password on every machine.
Another option is to use [Ansible Vault to encrypt the yaml files](https://therealmarv.com/ansible-vault-file-handling). or to use a password manager. It's never a good idea to keep passwords, private keys and other sensual data to the source code repository.

<!-- more -->

## Pass

I use [Pass](http://www.passwordstore.org/) for all of my personal or company passwords for almost an year. It's like a Keepass but simpler. The project follows the UNIX philosophy "Do One Thing and Do It Well".
Pass stores every password in a PGP encrypted file in a directory tree. It has also Git integration and Bash/Zsh completion. Really cool! Check the project page or the Man for additional documentation. There was a lighting talk from the 32c3 congress this year. I'll append it when it appears online. 

## Reading sudo passwords from Pass with Ansible

It's really simple. Just use "Lookup" with pipe inside your host_vars/examplehost file, like this:

{% codeblock lang:yaml %}
ansible_sudo_pass: "{ { lookup('pipe', 'pass show Inventoryname/hosts/examplehost/myusername') }}"
{% endcodeblock %}

And append *sudo: yes* to every command in the tasks, like this:

{% codeblock lang:yaml %}
- name: Just a test task
  copy: src=/etc/passwd dest=/tmp/passwdfile
  sudo: yes
{% endcodeblock %}

You should also use gpg-agent. Otherwise, Ansible will ask for the gpg key password for each operation.
New post - using Ansible with pass 9 years ago			`title: Using Ansible with pass`
			`date: 2016-01-03 02:13:54`
			`tags: ansible, pass, passwordstore, DevOps, Security`
			`---`

			`To work with the root user and ssh keys is a common practice in the Ansible community. Another variant is to use a "deploy" user with the same password on every machine.`
			`Another option is to use [Ansible Vault to encrypt the yaml files](https://therealmarv.com/ansible-vault-file-handling). or to use a password manager. It's never a good idea to keep passwords, private keys and other sensual data to the source code repository.`

			`<!-- more -->`

			`## Pass`

			`I use [Pass](http://www.passwordstore.org/) for all of my personal or company passwords for almost an year. It's like a Keepass but simpler. The project follows the UNIX philosophy "Do One Thing and Do It Well".`
			`Pass stores every password in a PGP encrypted file in a directory tree. It has also Git integration and Bash/Zsh completion. Really cool! Check the project page or the Man for additional documentation. There was a lighting talk from the 32c3 congress this year. I'll append it when it appears online.`

			`## Reading sudo passwords from Pass with Ansible`

			`It's really simple. Just use "Lookup" with pipe inside your host_vars/examplehost file, like this:`

			`{% codeblock lang:yaml %}`
			`ansible_sudo_pass: "{ { lookup('pipe', 'pass show Inventoryname/hosts/examplehost/myusername') }}"`
			`{% endcodeblock %}`

			`And append sudo: yes to every command in the tasks, like this:`

			`{% codeblock lang:yaml %}`
			`- name: Just a test task`
			`copy: src=/etc/passwd dest=/tmp/passwdfile`
			`sudo: yes`
			`{% endcodeblock %}`

			`You should also use gpg-agent. Otherwise, Ansible will ask for the gpg key password for each operation.`