Hi cdjny,
$ cat test.yaml
- name: Junos Set Password
hosts: all
roles:
- Juniper.junos
connection: local
gather_facts: no
tasks:
- name: Build configuration
template: src=jprpass.conf.j2 dest=/tmp/{{ inventory_hostname }}.conf
- name: Set Password
juniper_junos_config:
host: "{{ ansible_ssh_host }}"
port: "{{ ansible_ssh_port }}"
user: netadmin
passwd: Juniper
file: "/tmp/{{ inventory_hostname }}.conf"
load: merge
vars_files:
- vault-variables.yaml
To execute the playbook:
$ ansible-playbook -i hosts site.yaml --ask-vault-pass
For the above plyboo, the following Jinja2 template could be used for example, which creates the root password using a clear text password value (can also be done using encrypted-password if that's desired). As usual, the password with a plain-text-password-value willl still show up as a hash by Junos. However, it's recommended to use encrypted-password over clear-text password for better security.
$ cat jnprpass.conf.j2
system {
root-authentication {
plain-text-password-value "{{ clear_text_password }}";
}
}
system {
root-authentication {
encrypted-password "{{ admin_password_hashed }}";
}
}
The YAML data used for the vars file could be used simply as follows. Or even store passwords in a vault protected file.
$ ansible-vault create vault-variables.yaml
New Vault password:
Confirm New Vault password:
$ ansible-vault edit vault-variables.yaml
clear_text_password: Juniper
admin_password_hashed: "$1$fv3Ke4LT$10nlsy3SEJy5ainm.kPTd."
$ cat vault-variables.yaml
$ANSIBLE_VAULT;1.1;AES256
31643065623237653038393365656434353432303535363035323635633866653563396637313533
3635623033323935383865616361663632666435313466630a643563653263316162623737616533
37643533646264333364313630306237366635626161353030616332646264376332636239343830
6630663761393637650a323461663035666262353762613035386562353964303731343533656266
65643766303832613537386433313661396635373732396462336537333861653038633963613031
39643638636433653435386330313131613937363364306263316263666533373464316663656665
35333037326465643162393965376530393837633334613565306466663630323861366538366235
61613039353131383736333665663134643731343433333062366335613035663165313430356232
6632
------------------------------
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).
------------------------------
Original Message:
Sent: 12-14-2020 15:45
From: Unknown User
Subject: Ansible and Changing Passwords
I am trying to setup an Ansible playbook to change user passwords in Juniper switches. I am using juniper_junos_config with a configuration file that includes the "plain-text-password" parameter, but it appears that it is not valid. Is there anyway to use the "plain-text-password" parameter without forcing an interactive prompt?
What other methods can be used to change a user password via Ansible?