Saturday, 29 November 2025

Ansible - 4. Different ways to authenticate while invoking a playbook

In this demo, we will explore various authentication methods available when invoking an Ansible playbook.

oel01db is my Ansible control machine, and 192.168.0.156 (oel01db2) is my managed node.

Below is my inventory file and playbook.

[oracle@oel01db ansible-project]$ cat inventory/hosts

[db_servers]

192.168.0.156

[oracle@oel01db ansible-project]$ cat playbooks/setup.yml

---

- name: Check uptime on Linux hosts

  hosts: db_servers

  gather_facts: no

  tasks:

    - name: Check uptime on Linux hosts

      command: uptime

      register: uptime_value

    - name: Display uptime on Linux hosts

      debug:

        msg: "{{ uptime_value.stdout }}"

[oracle@oel01db ansible-project]$

[oracle@oel01db ansible-project]$ ssh oracle@192.168.0.156

oracle@192.168.0.156's password:

Last login: Wed Jul 30 06:05:54 2025 from oel01db

[oracle@oel02db ~]$

✅ Option 1 — Pass password via command line 


[oracle@oel01db ansible-project]$ ansible-playbook -i inventory/hosts playbooks/setup.yml --ask-pass

SSH password:


PLAY [Check uptime on Linux hosts] ******************************************************************************************************************************************************


TASK [Check uptime on Linux hosts] ******************************************************************************************************************************************************

[WARNING]: Platform linux on host 192.168.0.156 is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python interpreter could change this.

See https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information.

changed: [192.168.0.156]


TASK [Display uptime on Linux hosts] ****************************************************************************************************************************************************

ok: [192.168.0.156] => {

    "msg": " 07:06:27 up 22:15,  3 users,  load average: 0.03, 0.05, 0.01"

}

PLAY RECAP ******************************************************************************************************************************************************************************

192.168.0.156              : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0


[oracle@oel01db ansible-project]$


If your playbook uses sudo (become: yes) then also:

ansible-playbook -i inventory/hosts playbooks/setup.yml --ask-pass --ask-become-pass

This will ask:

SSH password:
BECOME password:

✅ Option 2 — Add username & password in inventory (permanent)

[oracle@oel01db ansible-project]$ cat inventory/hosts
[db_servers]
192.168.0.156 ansible_user=oracle ansible_ssh_pass=oracle
[oracle@oel01db ansible-project]$
[oracle@oel01db ansible-project]$ ansible-playbook -i inventory/hosts playbooks/setup.yml

PLAY [Check uptime on Linux hosts] ******************************************************************************************************************************************************

TASK [Check uptime on Linux hosts] ******************************************************************************************************************************************************
[WARNING]: Platform linux on host 192.168.0.156 is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python interpreter could change this.
See https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information.
changed: [192.168.0.156]

TASK [Display uptime on Linux hosts] ****************************************************************************************************************************************************
ok: [192.168.0.156] => {
    "msg": " 07:09:05 up 22:17,  3 users,  load average: 0.02, 0.06, 0.02"
}

PLAY RECAP ******************************************************************************************************************************************************************************
192.168.0.156              : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[oracle@oel01db ansible-project]$


Also to remove the unnecessary [WARNING] , we can add below parameter to ansible.cfg under the [defaults] section.

[root@oel01db ~]# vi /etc/ansible/ansible.cfg
[root@oel01db ~]#
[root@oel01db ~]# cat /etc/ansible/ansible.cfg |grep -i interpreter_python
interpreter_python = auto_silent
[root@oel01db ~]#

✅ Option 3 — Add username/password to playbook


[oracle@oel01db ansible-project]$ cat inventory/hosts
[db_servers]
192.168.0.156
[oracle@oel01db ansible-project]$
[oracle@oel01db ansible-project]$ cat playbooks/setup.yml
---

- name: Check uptime on Linux hosts

  hosts: db_servers

  gather_facts: no

  vars:
    ansible_user: oracle
    ansible_ssh_pass: oracle

  tasks:

    - name: Check uptime on Linux hosts

      command: uptime

      register: uptime_value

    - name: Display uptime on Linux hosts

      debug:

        msg: "{{ uptime_value.stdout }}"
[oracle@oel01db ansible-project]$

[oracle@oel01db ansible-project]$ ansible-playbook -i inventory/hosts playbooks/setup.yml

PLAY [Check uptime on Linux hosts] ******************************************************************************************************************************************************

TASK [Check uptime on Linux hosts] ******************************************************************************************************************************************************
changed: [192.168.0.156]

TASK [Display uptime on Linux hosts] ****************************************************************************************************************************************************
ok: [192.168.0.156] => {
    "msg": " 07:21:07 up 22:29,  3 users,  load average: 0.00, 0.00, 0.00"
}

PLAY RECAP ******************************************************************************************************************************************************************************
192.168.0.156              : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[oracle@oel01db ansible-project]$


✅ Option 4 — Update variable section in the inventory file .


[oracle@oel01db ansible-project]$ vi inventory/hosts
[oracle@oel01db ansible-project]$ cat inventory/hosts
[db_servers]
192.168.0.156

[all:vars]
ansible_user=oracle
ansible_ssh_pass=oracle
[oracle@oel01db ansible-project]$

[all:vars]  means "Variables applied to ALL hosts in the inventory."


[oracle@oel01db ansible-project]$  ansible-playbook -i inventory/hosts playbooks/setup.yml

PLAY [Check uptime on Linux hosts] ******************************************************************************************************************************************************

TASK [Check uptime on Linux hosts] ******************************************************************************************************************************************************
changed: [192.168.0.156]

TASK [Display uptime on Linux hosts] ****************************************************************************************************************************************************
ok: [192.168.0.156] => {
    "msg": " 07:42:49 up 22:51,  3 users,  load average: 0.16, 0.07, 0.02"
}

PLAY RECAP ******************************************************************************************************************************************************************************
192.168.0.156              : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[oracle@oel01db ansible-project]$

✅ Option 5 — SSH key-based authentication (cleanest and correct way)


First create an SSH key pair on the control machine, then transfer the public key to the managed machine using the ssh-copy-id command. If that tool is not available, you can manually append the public key to the authorized_keys file on the managed host

[oracle@oel01db ansible-project]$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Pesalh7IpCrBGAzcKQIwwQVY/HRh4LY/97GORGV5zQw oracle@oel01db.mydb.com
The key's randomart image is:
+---[RSA 4096]----+
|@==.o.o.    E    |
|+=.+...    . =   |
|+ .oo.    + . +  |
|.. ...   + .     |
|o.  . . S o      |
|o.   = o . o     |
| .  . = B o      |
|.  .   * * o     |
| ..     +o=      |
+----[SHA256]-----+
[oracle@oel01db ansible-project]$
[oracle@oel01db ansible-project]$
[oracle@oel01db ansible-project]$ cat inventory/hosts
[db_servers]
192.168.0.156
[oracle@oel01db ansible-project]$ ssh-copy-id oracle@192.168.0.156
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/oracle/.ssh/id_rsa.pub"
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
oracle@192.168.0.156's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'oracle@192.168.0.156'"
and check to make sure that only the key(s) you wanted were added.

[oracle@oel01db ansible-project]$
[oracle@oel01db ansible-project]$ ssh oracle@192.168.0.156
Last login: Wed Jul 30 07:29:15 2025
[oracle@oel02db ~]$

[oracle@oel01db ansible-project]$ cat inventory/hosts
[db_servers]
192.168.0.156
[oracle@oel01db ansible-project]$
[oracle@oel01db ansible-project]$ cat playbooks/setup.yml
---

- name: Check uptime on Linux hosts

  hosts: db_servers

  gather_facts: no

  tasks:

    - name: Check uptime on Linux hosts

      command: uptime

      register: uptime_value

    - name: Display uptime on Linux hosts

      debug:

        msg: "{{ uptime_value.stdout }}"
[oracle@oel01db ansible-project]$


[oracle@oel01db ansible-project]$ ansible-playbook -i inventory/hosts playbooks/setup.yml

PLAY [Check uptime on Linux hosts] ******************************************************************************************************************************************************

TASK [Check uptime on Linux hosts] ******************************************************************************************************************************************************
changed: [192.168.0.156]

TASK [Display uptime on Linux hosts] ****************************************************************************************************************************************************
ok: [192.168.0.156] => {
    "msg": " 07:34:38 up 22:43,  3 users,  load average: 0.00, 0.00, 0.00"
}

PLAY RECAP ******************************************************************************************************************************************************************************
192.168.0.156              : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[oracle@oel01db ansible-project]$

Please note, Ansible, by default, relies on your system's standard SSH behavior. This means it will automatically try the default private key files for the connecting user, typically:

  • ~/.ssh/id_rsa

  • ~/.ssh/id_dsa

  • ~/.ssh/id_ecdsa

  • ~/.ssh/id_ed25519

As the key we generated and copied to oel02db is one of these default keys, and we are running the Ansible playbook as the user who owns that key, Ansible should find it automatically.

If you want to use a  non-default SSH private key for a specific host, update inventory/hosts with below content 

192.168.0.156 ansible_ssh_private_key_file=/path/to/privatekey

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Building a Safer PostgreSQL CI/CD Pipeline with GitHub Actions: Dev → PR Review → Test Promotion

In my previous post, we explored a simple push-to-main deployment strategy . While functional, that model is not considered an industry best...