Re: [ansible-project] Ansible Vault - store credentials for all hosts in one vault file

[Michael Mullay]

Libor,

I think what you are asking is if you can do something like this?

host1 password123
host2 password456
host3 password789

If so, then sure. Just put it in a tab-separated file and encrypt it with
ansible-encrypt and use it like you would any other variables. You could
probably use the csvfile module to call column 1 for user, column 2 for
password.



On Mon, Oct 22, 2018 at 12:57 AM Libor Burda  wrote:

> Hello everyone.
>
> Is there any way how to store credentials in one Vault file, so that these
> credentials are applied for each host?
>
> For example, when I create group_vars/all.yml and store creds here and
> then execute playbook with --limit=single_host, these credentials are not
> applied. I probably would have to create vault file for each host, but
> that's crazy when you have thousands of servers.
>
> The goal is to stop Ansible execution once you put wrong ssh password.
> Right now, Ansible tries to connect with wrong password, it fails, and our
> SIEM detects this as attack and locks the account instantly.
>
> Or is there any alternative way how to prevent this from happening?
>
> Thanks in advance.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/9d1250bc-f3fc-47bd-b8b0-16a84dd193da%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAH4rTPtqHiCeLqy14jut2o9s7zDBdXfig9_At_VgyekohtYRMw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Ansible Vault - store credentials for all hosts in one vault file

[Libor Burda]

Hello everyone.

Is there any way how to store credentials in one Vault file, so that these 
credentials are applied for each host?

For example, when I create group_vars/all.yml and store creds here and then 
execute playbook with --limit=single_host, these credentials are not 
applied. I probably would have to create vault file for each host, but 
that's crazy when you have thousands of servers.

The goal is to stop Ansible execution once you put wrong ssh password. 
Right now, Ansible tries to connect with wrong password, it fails, and our 
SIEM detects this as attack and locks the account instantly.

Or is there any alternative way how to prevent this from happening?

Thanks in advance.


-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/9d1250bc-f3fc-47bd-b8b0-16a84dd193da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.