Try Spotterretrieve or generate a random password, stored in a file
| "added in version" 1.1 of ansible.builtin"
Authors: Daniel Hokka Zakrisson (!UNKNOWN) <daniel@hozac.com>, Javier Candeira (!UNKNOWN) <javier@candeira.com>, Maykel Moya (!UNKNOWN) <mmoya@speedyrails.com>
pipInstall with pip install ansible-core==2.16.5
Generates a random plaintext password and stores it in a file at a given filepath.
If the file exists previously, it will retrieve its contents, behaving just like with_file.
Usage of variables like C("{{ inventory_hostname }}") in the filepath can be used to set up random passwords per host, which simplifies password management in C("host_vars") variables.
A special case is using /dev/null as a path. The password lookup will generate a new random password each time, but will not write it to /dev/null. This can be used when you need a password without storing it on the controller.
- name: create a mysql user with a random password
community.mysql.mysql_user:
name: "{{ client }}"
password: "{{ lookup('ansible.builtin.password', 'credentials/' + client + '/' + tier + '/' + role + '/mysqlpassword', length=15) }}"
priv: "{{ client }}_{{ tier }}_{{ role }}.*:ALL"
- name: create a mysql user with a random password using only ascii letters
community.mysql.mysql_user:
name: "{{ client }}"
password: "{{ lookup('ansible.builtin.password', '/tmp/passwordfile', chars=['ascii_letters']) }}"
priv: '{{ client }}_{{ tier }}_{{ role }}.*:ALL'
- name: create a mysql user with an 8 character random password using only digits
community.mysql.mysql_user:
name: "{{ client }}"
password: "{{ lookup('ansible.builtin.password', '/tmp/passwordfile', length=8, chars=['digits']) }}"
priv: "{{ client }}_{{ tier }}_{{ role }}.*:ALL"
- name: create a mysql user with a random password using many different char sets
community.mysql.mysql_user:
name: "{{ client }}"
password: "{{ lookup('ansible.builtin.password', '/tmp/passwordfile', chars=['ascii_letters', 'digits', 'punctuation']) }}"
priv: "{{ client }}_{{ tier }}_{{ role }}.*:ALL"
- name: create lowercase 8 character name for Kubernetes pod name
ansible.builtin.set_fact:
random_pod_name: "web-{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_lowercase', 'digits'], length=8) }}"
- name: create random but idempotent password
ansible.builtin.set_fact:
password: "{{ lookup('ansible.builtin.password', '/dev/null', seed=inventory_hostname) }}"
seed:
description:
- A seed to initialize the random number generator.
- Identical seeds will yield identical passwords.
- Use this for random-but-idempotent password generation.
type: str
version_added: '2.12'
version_added_collection: ansible.builtin
chars:
default:
- ascii_letters
- digits
- .,:-_
description:
- A list of names that compose a custom character set in the generated passwords.
- This parameter defines the possible character sets in the resulting password, not
the required character sets. If you want to require certain character sets for passwords,
you can use the P(community.general.random_string#lookup) lookup plugin.
- 'By default generated passwords contain a random mix of upper and lowercase ASCII
letters, the numbers 0-9, and punctuation (". , : - _").'
- They can be either parts of Python's string module attributes or represented literally
( :, -).
- 'Though string modules can vary by Python version, valid values for both major releases
include: ''ascii_lowercase'', ''ascii_uppercase'', ''digits'', ''hexdigits'', ''octdigits'',
''printable'', ''punctuation'' and ''whitespace''.'
- Be aware that Python's 'hexdigits' includes lower and upper case versions of a-f,
so it is not a good choice as it doubles the chances of those values for systems
that won't distinguish case, distorting the expected entropy.
- when using a comma separated string, to enter comma use two commas ',,' somewhere
- preferably at the end. Quotes and double quotes are not supported.
elements: str
type: list
version_added: '1.4'
version_added_collection: ansible.builtin
ident:
description:
- Specify version of Bcrypt algorithm to be used while using O(encrypt) as V(bcrypt).
- The parameter is only available for V(bcrypt) - U(https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#passlib.hash.bcrypt).
- Other hash types will simply ignore this parameter.
- 'Valid values for this parameter are: V(2), V(2a), V(2y), V(2b).'
type: string
version_added: '2.12'
version_added_collection: ansible.builtin
_terms:
description:
- path to the file that stores/will store the passwords
required: true
length:
default: 20
description: The length of the generated password.
type: integer
encrypt:
description:
- Which hash scheme to encrypt the returning password, should be one hash scheme from
C(passlib.hash); V(md5_crypt), V(bcrypt), V(sha256_crypt), V(sha512_crypt).
- If not provided, the password will be returned in plain text.
- Note that the password is always stored as plain text, only the returning password
is encrypted.
- Encrypt also forces saving the salt value for idempotence.
- Note that before 2.6 this option was incorrectly labeled as a boolean for a long
time.
_raw: description: - a password elements: str type: list