4

I would need to use my --ask-become-pass password in an expect script. Is there any way to use the password entered when starting ansible_playbook in a variable?

Pseudo-code:

# ansible-playbook --become --ask-become-pass -i testing master.yml
BECOME password: secretpassword

then in the task

- name: use pw variable in task
  expect:
   command: /bin/bash -c "/usr/bin/my_command"
   responses:
     Password: "{{ prompted_pass }}"

where I would want expect to enter "secretpassword" when reading the "Password" prompt

I know about become_user, unfortunately it does not help in my case as a remote server asks for the password - but it is the same as the become_password.

I tried dumping vars and environment, but could not find anything helpful.

Thanks, Tobias

TobiM
  • 131
  • 1
  • 7
  • hm, curious why this was downvoted. Did I overlook a similar question or phrase anything badly? Or is this just generally a bad idea to do something like this? A little comment would have been nice. – TobiM Apr 26 '21 at 05:36

1 Answers1

5

No. Interactive become password is not available to the playbook.

One alternative is to not use --ask-become-pass instead provide the become password as a variable. Define variable ansible_become_password to be a lookup expression, which gets the password from whatever secret storage you use. Also use this var for the other program's password.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • Storing in an external secret storage seems to be a bad Idea, as the password will change periodically, and I would not want a personal password stored in ansible, not even vault-protected. Having something set up before running the playbook would mean to diverge from the way we do all other hosts, so I will rather settle to do this step by hand. Will accept this as answer as it answers the question, even if it's not what I had hoped for. :) – TobiM Apr 26 '21 at 05:43
  • 3
    `vars_prompt:` keyword on the play to input `ansible_become_password` is the other reasonable way to get keyboard input into Ansible. – John Mahowald Apr 26 '21 at 17:47
  • I hinted at secrets related lookup plugins as they don't store secrets in Ansible. keyring lookup plugin, for example. – John Mahowald Apr 26 '21 at 17:49
  • you can use the foloowing: `ansible_become_password: '{{ lookup("env", "ANSIBLE_BECOME_PASSWORD") }}'` – Orsius Jul 14 '22 at 07:18