add documentation for passwordstore usage #4219
Conversation
| @@ -41,6 +41,8 @@ If you **don't** use SSH keys for authentication, but rather a regular password, | |||
|
|
|||
| If you **do** use SSH keys for authentication, **and** use a non-root user to *become* root (sudo), you may need to add `-K` (`--ask-become-pass`) to all Ansible commands. | |||
|
|
|||
| If you use a password manager like `pass` or `gopass`, you can also add `ansible_become_password: "{{ lookup('community.general.passwordstore', 'path/to/password' }}"` to the hosts file. See the [documentation](https://docs.ansible.com/ansible/latest/collections/community/general/passwordstore_lookup.html) for more configuration options. | |||
There was a problem hiding this comment.
It's probably better to mention Ansible Vault and how one could use that, before nudging people to use other tools (plugins from the community collection that integrate with other password managers).
Naturally, one may wish to use another password manager for storing the Ansible Vault encryption passphrase, but still.. Storing various sensitive variables in Ansible Vault sounds like a better go-to choice for most people.
There was a problem hiding this comment.
Well, as a not-at-all-experienced Ansible user it took me two years to find out that there are more options than just --ask-become-pass, so I wanted to let more people know about this.
Yes, Ansible Vault as yet another option should definitely be mentioned in this documentation, but I would not call it a "better" option and then withheld the (go)pass way to go.
There was a problem hiding this comment.
By now I really need to point out, that using the (go)pass option works™ … but it obviously requests the password from the store again on every single task – which made the playbook run slow down tremendously. It just took ~90 minutes here. So yeah, you are probably right. This should not be the second best option to be mentioned in the docs 😅
No description provided.