Password management is one of the topics that should be analyzed during the design phase, i.e., before starting to write code. However, from a learning perspective, I prefer to postpone the topic in order to have some basic knowledge.

In general, I feel inclined to discourage any approach that involves having credentials saved in clear text in files or playbooks. Where possible, I recommend using named credentials that are manually entered during playbook execution.

The use of orchestrators like Ansible Tower  or AWX  might make it preferable to choose a particular vault, i.e., an encrypted password database accessible via API. The use of a vault in manually executing playbooks, in my opinion, makes little sense because it simply shifts the problem: the credentials are contained in the vault, but somewhere the token must be saved so that the playbook can access the vault.

Finally, as seen previously, the use of dynamic inventories might make it preferable to save credentials within the inventory itself, which, being generated dynamically, leaves no trace except in RAM. However, once again, we are shifting the problem: somehow the script that generates the inventory must be able to authenticate itself.

Let’s see two examples, knowing that each environment will require specific considerations regarding the security and confidentiality of credentials. So, let’s open the Simple Network Lab and start R1.

Named Credentials

The simplest and safest way to manage credentials is to pass them directly on the command line during each execution:

./playbook-auth.yml -u admin -k

Before execution, we will be asked for the password of the admin user. If the user needs to perform privilege escalation, it is possible to use the -K parameter, which would prompt us for the enable password.

Ansible Vault

Continue reading the post on Patreon .