This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.

  • 1.  Ansible and Changing Passwords

    Posted 12-14-2020 15:46
    I am trying to setup an Ansible playbook to change user passwords in Juniper switches.  I am using juniper_junos_config with a configuration file that includes the "plain-text-password" parameter, but it appears that it is not valid.  Is there anyway to use the "plain-text-password" parameter without forcing an interactive prompt?

    What other methods can be used to change a user password via Ansible?

  • 2.  RE: Ansible and Changing Passwords
    Best Answer

    Posted 12-15-2020 05:21
    Hi cdjny,

    You can consider using Ansible vault to store passwords or variables and call them in your playbook: Encrypting content with Ansible Vault - Ansible Documentation

    Here is an example of Ansible playbook, courtesy @asharp.

    $ cat test.yaml
    - name: Junos Set Password
      hosts: all
        - Juniper.junos
      connection: local
      gather_facts: no
        - name: Build configuration
          template: src=jprpass.conf.j2 dest=/tmp/{{ inventory_hostname }}.conf
        - name: Set Password
            host: "{{ ansible_ssh_host }}"
            port: "{{ ansible_ssh_port }}"
            user: netadmin
            passwd: Juniper
            file: "/tmp/{{ inventory_hostname }}.conf"
            load: merge
      - vault-variables.yaml
    To execute the playbook:
    $ ansible-playbook -i hosts site.yaml --ask-vault-pass
    For the above plyboo, the following Jinja2 template could be used for example, which creates the root password using a clear text password value (can also be done using encrypted-password if that's desired).  As usual, the password with a plain-text-password-value willl still show up as a hash by Junos.  However, it's recommended to use encrypted-password over clear-text password for better security. 
    $ cat jnprpass.conf.j2
    system {
      root-authentication {
        plain-text-password-value "{{ clear_text_password }}";
    system {
      root-authentication {
        encrypted-password "{{ admin_password_hashed }}";

    The YAML data used for the vars file could be used simply as follows.  Or even store passwords in a vault protected file.
    $ ansible-vault create vault-variables.yaml
    New Vault password:
    Confirm New Vault password:
    $ ansible-vault edit vault-variables.yaml
    clear_text_password: Juniper
    admin_password_hashed: "$1$fv3Ke4LT$10nlsy3SEJy5ainm.kPTd."
    $ cat vault-variables.yaml

    Hope this helps.



    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).

  • 3.  RE: Ansible and Changing Passwords

    Posted 12-15-2020 16:26
    Thank you so much!  I was missing the "value" at the end of "plain-text-password".  Is "plain-text-password-value" documented anywhere?