In this use case, the ansible_sudo_password variable, which is used as the privilege escalation password, is stored in a vault.
Once the secret has been created and added to the playbook, in order for a user be able to become sudo to run the playbook, they will need to decrypt the vault to access the variable.
This can be achieved by passing one of the following flags listed below when executing the the playbook;
--ask-vault-pass
--vault-password-file
Below is a demonstration of how the encrypted variable is defined in the playbook;
---
# playbook for the minimal-centos role.
- hosts: allvars_files:
- become-secretbecome: trueroles:
- minimal_centos
# clone the repository
$ git clone git@github.com:hubvu/minimal-centos-ansible.git
# navigate into the directory
$ cd minimal-centos-ansible/
# run the master playbook `site.yaml` with verbosity# for non Ansible Vault users
$ ansible-playbook site.yaml \
--inventory-file=hosts \
--ask-become-pass \
--verbose
# run the master playbook `site.yaml` with verbosity# for Ansible Vault users
$ ansible-playbook site.yaml \
--inventory-file=hosts \
--ask-vault-pass \
--verbose
Contributing
Contribution guidelines for this project can be found in the Contributing document.