{"id":1703,"date":"2019-07-24T21:50:11","date_gmt":"2019-07-24T21:50:11","guid":{"rendered":"http:\/\/robermb.com\/blog\/?p=1703"},"modified":"2024-02-25T12:33:54","modified_gmt":"2024-02-25T11:33:54","slug":"privilege-escalation-with-ansible-more-secure-using-vault","status":"publish","type":"post","link":"https:\/\/robermb.com\/blog\/geeks\/privilege-escalation-with-ansible-more-secure-using-vault\/","title":{"rendered":"Ansible: Privilege escalation more secure using Ansible-Vault"},"content":{"rendered":"\n

INTRODUCTION<\/span><\/h3>\n\n\n\n

Sometimes it’s necessary to execute the tasks<\/strong> of the Playbook with root user<\/strong> in the remote servers. To escalate privileges<\/strong> we have to set become variable to yes: \u201cbecome: yes<\/strong>\u201d. There are different methods of privilege escalation but the most common to use that is sudo method<\/strong>.<\/p>\n\n\n\n

For example I’m using in my inventory<\/strong>(\/etc\/ansible\/hosts) the following variables<\/strong>:<\/p>\n\n\n\n

# VARS\n[all:vars]\nansible_user=remote\n#ansible_ssh_pass=PASSWORD\nansible_port=22<\/code><\/pre>\n\n\n\n
With ansible_user<\/strong> variable I’m telling to Ansible which is the user that will connect by ssh to the remotes servers, in my case the user is always “remote<\/strong>“. But this user is not an user with enough privileges to install packages or change some configurations of the system. To do that it’s necessary to elevate privileges<\/strong> using sudo. Sudo means that when you execute a command with sudo the command is actually executed by the root user, instead the login user. And to activate<\/strong> it we just have to set become variable to yes<\/strong>.<\/p>\n\n\n\n
Currently I have commented the line of ansible_ssh_pass<\/strong> variable because I prefer to use a ssh trust relationship<\/a><\/strong> (distribute ssh authorized key with ansible<\/a>) between Ansible master and the remote servers. This means that I am able to connect via ssh with the remote user without entering the password.<\/p>\n\n\n\n
For example, this is the header of a simple Playbook:<\/p>\n\n\n\n
---\n- hosts: web\n  name: Install the apache web service\n  become: yes<\/code><\/pre>\n\n\n\n
FAILED! => {“msg”: “Missing sudo password”}<\/h3>\n\n\n\n
But is still necessary to configure the sudo password in a secure way avoiding plain text passwords for security reasons. If we don’t have the sudo password correctly configured we will receive the following output:<\/p>\n\n\n\n
[remote@ansible]$ ansible-playbook YOUR_PLAYBOOK.yml<\/code><\/pre>\n\n\n\n
PLAY [This is a play within a playbook] ****************************************************************************************\n\nTASK [Gathering Facts] *********************************************************************************************************\nfatal: [node1]: FAILED! => {\"msg\": \"Missing sudo password\"}\n\nPLAY RECAP *********************************************************************************************************************\nnode1                      : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0 <\/code><\/pre>\n\n\n\n
Option –ask-become-pass<\/h3>\n\n\n\n
Of course you can add the “–ask-become-pass” option to introduce your sudo password manually<\/strong> in the prompt:<\/p>\n\n\n\n
[remote@ansible apache-basic-playbook]$ ansible-playbook --ask-become-pass YOUR_PLAYBOOK.yml \n\nBECOME password: <\/code><\/pre>\n\n\n\n
USING ANSIBLE-VAULT<\/span><\/h3>\n\n\n\n
Ansible-Vault: A secure way to specify the sudo password<\/h3>\n\n\n\n
1. Add variables to your Playbook<\/h3>\n\n\n\n
Add the following variables to your Playbook:<\/p>\n\n\n\n
  vars_files:\n    - ~\/.ansible\/my_vault.yml\n\n  vars:\n    ansible_become_pass: '{{ su_password }}'<\/code><\/pre>\n\n\n\n