ansible.builtin.password – retrieve or generate a random password, stored in a file

From Get docs
Ansible/docs/2.10/collections/ansible/builtin/password lookup


ansible.builtin.password – retrieve or generate a random password, stored in a file

Note

This module is part of ansible-base and included in all Ansible installations. In most cases, you can use the short module name password even without specifying the collections: keyword. Despite that, we recommend you use the FQCN for easy linking to the module documentation and to avoid conflicting with other collections that may have the same module name.


New in version 1.1: of ansible.builtin


Synopsis

  • Generates a random plaintext password and stores it in a file at a given filepath.
  • If the file exists previously, it will retrieve its contents, behaving just like with_file.
  • Usage of variables like "Template:Inventory hostname" in the filepath can be used to set up random passwords per host, which simplifies password management in "host_vars" variables.
  • A special case is using /dev/null as a path. The password lookup will generate a new random password each time, but will not write it to /dev/null. This can be used when you need a password without storing it on the controller.

Parameters

Parameter Choices/Defaults Configuration Comments

_terms

string / required

path to the file that stores/will store the passwords

chars

string

added in 1.4 of ansible.builtin

Define comma separated list of names that compose a custom character set in the generated passwords.

By default generated passwords contain a random mix of upper and lowercase ASCII letters, the numbers 0-9 and punctuation (". , : - _").

They can be either parts of Python's string module attributes (ascii_letters,digits, etc) or are used literally ( :, -).

To enter comma use two commas ',,' somewhere - preferably at the end. Quotes and double quotes are not supported.

encrypt

string

Which hash scheme to encrypt the returning password, should be one hash scheme from passlib.hash; md5_crypt, bcrypt, sha256_crypt, sha512_crypt

If not provided, the password will be returned in plain text.

Note that the password is always stored as plain text, only the returning password is encrypted.

Encrypt also forces saving the salt value for idempotence.

Note that before 2.6 this option was incorrectly labeled as a boolean for a long time.

length

integer

Default:

20

The length of the generated password.



Notes

Note

  • A great alternative to the password lookup plugin, if you don’t need to generate random passwords on a per-host basis, would be to use Vault in playbooks. Read the documentation there and consider using it first, it will be more desirable for most applications.
  • If the file already exists, no data will be written to it. If the file has contents, those contents will be read in as the password. Empty files cause the password to return as an empty string.
  • As all lookups, this runs on the Ansible host as the user running the playbook, and “become” does not apply, the target file must be readable by the playbook user, or, if it does not exist, the playbook user must have sufficient privileges to create it. (So, for example, attempts to write into areas such as /etc will fail unless the entire playbook is being run as root).


Examples

- name: create a mysql user with a random password
  mysql_user:
    name: "{{ client }}"
    password: "{{ lookup('password', 'credentials/' + client + '/' + tier + '/' + role + '/mysqlpassword length=15') }}"
    priv: "{{ client }}_{{ tier }}_{{ role }}.*:ALL"

- name: create a mysql user with a random password using only ascii letters
  mysql_user:
    name: "{{ client }}"
    password: "{{ lookup('password', '/tmp/passwordfile chars=ascii_letters') }}"
    priv: '{{ client }}_{{ tier }}_{{ role }}.*:ALL'

- name: create a mysql user with an 8 character random password using only digits
  mysql_user:
    name: "{{ client }}"
    password: "{{ lookup('password', '/tmp/passwordfile length=8 chars=digits') }}"
    priv: "{{ client }}_{{ tier }}_{{ role }}.*:ALL"

- name: create a mysql user with a random password using many different char sets
  mysql_user:
    name: "{{ client }}"
    password: "{{ lookup('password', '/tmp/passwordfile chars=ascii_letters,digits,hexdigits,punctuation') }}"
    priv: "{{ client }}_{{ tier }}_{{ role }}.*:ALL"

Return Values

Common return values are documented here, the following are the fields unique to this lookup:

Key Returned Description

_raw

list / elements=string

success

a password





Authors

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/ansible/builtin/password_lookup.html