Expand all | Collapse all

Ansible and Changing Passwords

Jump to Best Answer
  • 1.  Ansible and Changing Passwords

    Posted 12-14-2020 15:46
    I am trying to setup an Ansible playbook to change user passwords in Juniper switches.  I am using juniper_junos_config with a configuration file that includes the "plain-text-password" parameter, but it appears that it is not valid.  Is there anyway to use the "plain-text-password" parameter without forcing an interactive prompt?

    What other methods can be used to change a user password via Ansible?

  • 2.  RE: Ansible and Changing Passwords
    Best Answer

    Posted 12-15-2020 05:21
    Hi cdjny,

    You can consider using Ansible vault to store passwords or variables and call them in your playbook: Encrypting content with Ansible Vault - Ansible Documentation

    Here is an example of Ansible playbook, courtesy @asharp.

    $ cat test.yaml
    - name: Junos Set Password
      hosts: all
        - Juniper.junos
      connection: local
      gather_facts: no
        - name: Build configuration
          template: src=jprpass.conf.j2 dest=/tmp/{{ inventory_hostname }}.conf
        - name: Set Password
            host: "{{ ansible_ssh_host }}"
            port: "{{ ansible_ssh_port }}"
            user: netadmin
            passwd: Juniper
            file: "/tmp/{{ inventory_hostname }}.conf"
            load: merge
      - vault-variables.yaml
    To execute the playbook:
    $ ansible-playbook -i hosts site.yaml --ask-vault-pass
    For the above plyboo, the following Jinja2 template could be used for example, which creates the root password using a clear text password value (can also be done using encrypted-password if that's desired).  As usual, the password with a plain-text-password-value willl still show up as a hash by Junos.  However, it's recommended to use encrypted-password over clear-text password for better security. 
    $ cat jnprpass.conf.j2
    system {
      root-authentication {
        plain-text-password-value "{{ clear_text_password }}";
    system {
      root-authentication {
        encrypted-password "{{ admin_password_hashed }}";

    The YAML data used for the vars file could be used simply as follows.  Or even store passwords in a vault protected file.
    $ ansible-vault create vault-variables.yaml
    New Vault password:
    Confirm New Vault password:
    $ ansible-vault edit vault-variables.yaml
    clear_text_password: Juniper
    admin_password_hashed: "$1$fv3Ke4LT$10nlsy3SEJy5ainm.kPTd."
    $ cat vault-variables.yaml

    Hope this helps.



    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).

  • 3.  RE: Ansible and Changing Passwords

    Posted 12-15-2020 16:26
    Thank you so much!  I was missing the "value" at the end of "plain-text-password".  Is "plain-text-password-value" documented anywhere?