2

i am very new to ansible and would like to test a few things. I have a couple of Amazon EC2 instances and would like to install different software components on them. I don't want to have the (plaintext) credentials of the technical users inside of ansible scripts or config files. I know that it is possible to encrypt those files, but I want to try keepass for a central password management tool. So my installation scripts should read the credentials from a .kdbx (Keepass 2) database file before starting the actual installation.

Till now i wrote a basic python script for reading the .kdbx file. The script outputs a json object via:

print json.dumps(inventory, sort_keys=False)

The ouput looks like the following: 

{"cdc": 
    {"cdc_test_server": 
        {"cdc_test_user": 
            {"username": "cdc_test_user", 
             "password": "password"}
        }
    }
}

Now I want to achieve, that the python script is executed by ansible and the key value pairs of the output are included/registered as ansible variables. So far my playbook looks as follows:

- hosts: 127.0.0.1
  connection: local
  tasks:
  - name: "Test Playboook Functionality"
    command: python /usr/local/test.py
    register: pass

  - debug: var=pass.stdout

  - name: "Include json user output"
    set_fact: passwords="{{pass.stdout | from_json}}"

  - debug: " {{passwords.cdc.cdc_test_server.cdc_test_user.password}} "

The first debug generates the correct json output, but i am not able to include the variables in ansible, so that I can use them via jinja2 notation. set_fact doesn't throw an exception, but the last debug just returns a "Hello world" - message? So my question is: How do I properly include the json key value pairs as ansible variables via task?

Improve this question
2
  • 1
    add msg: to your last debug statement: - debug: msg="{{pass....}}" Commented Aug 15, 2016 at 15:39
  • oh, thank you. Do you know if my approach is the preferred way for the registration of variables, or are there better solutions? Commented Aug 15, 2016 at 15:43

3 Answers 3

Reset to default
3

See Ansible KeePass Lookup Plugin

ansible_user       : "{{ lookup('keepass', 'path/to/entry', 'username') }}"
ansible_become_pass: "{{ lookup('keepass', 'path/to/entry', 'password') }}"
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You may want to use facts.d and place your python script there to be available as a fact.
Or write a simple action plugin that returns json object to eliminate the need in stdout->from_json conversion.

Improve this answer

1 Comment

The link is no more available.
0

Late to the party, but it seems your use case is primarily covered by keepass-inventory. And it doesn't require any playbook "magic". Disclaimer: I contribute to this non-profit.

export KDB_PATH=example.kdbx
export KDB_PASS=example

ansible all --list-hosts -i keepass-inventory.py
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.