Using Ansible with pass
To work with the root user and ssh keys is a common practice in the Ansible community. Another variant is to use a “deploy” user with the same password on every machine.
Another option is to use Ansible Vault to encrypt the yaml files. or to use a password manager. It’s never a good idea to keep passwords, private keys and other sensual data to the source code repository.
I use Pass for all of my personal or company passwords for almost an year. It’s like a Keepass but simpler. The project follows the UNIX philosophy “Do One Thing and Do It Well”.
Pass stores every password in a PGP encrypted file in a directory tree. It has also Git integration and Bash/Zsh completion. Really cool! Check the project page or the Man for additional documentation. There was a lighting talk from the 32c3 congress this year. I’ll append it when it appears online.
It’s really simple. Just use “Lookup” with pipe inside your host_vars/examplehost file, like this:
And append sudo: yes to every command in the tasks, like this:
You should also use gpg-agent. Otherwise, Ansible will ask for the gpg key password for each operation.