https://community.cisco.com/t5/tools/ansible-privilege-escalation/m-p/4932225#M3399 <P>Hi Marcel.</P><P>I chose the path of creating Vault file containing the encrypted password:</P><P>&nbsp;</P><P>&nbsp; vars_files:</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;- /home/ciscoUser/Ansible/vault_password.yml</P><P>&nbsp; vars:</P><P>&nbsp; &nbsp; &nbsp; ansible_become_pass: "{{ vault_sudo_password }}"</P><P>&nbsp; &nbsp; &nbsp; ansible_python_interpreter: /usr/bin/python3</P><P>&nbsp;</P><P>Thanks,</P><P>Martin</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 02 Oct 2023 05:01:41 GMT Netmart 2023-10-02T05:01:41Z https://community.cisco.com/t5/tools/ansible-privilege-escalation/m-p/4908549#M3379 <P>Hello,</P><P>I wanted to add config changes to to Cisco IOS XE.</P><P>When on node also enable password is set up, how is Ansible able to access privilege level to add for example a loopback interface.</P><P>I found the following.</P><P>&nbsp;</P><P>vars/ios.yml<FONT size="2"><A title="Permalink to this heading" href="https://docs.ansible.com/ansible/latest/network/user_guide/platform_ios.html#example-cli-group-vars-ios-yml" target="_blank" rel="noopener"></A></FONT></P><DIV class=""><DIV class=""><PRE><SPAN class="">ansible_connection</SPAN><SPAN class="">:</SPAN> <SPAN class="">ansible.netcommon.network_cli</SPAN> <SPAN class="">ansible_network_os</SPAN><SPAN class="">:</SPAN> <SPAN class="">cisco.ios.ios</SPAN> <SPAN class="">ansible_user</SPAN><SPAN class="">:</SPAN> <SPAN class="">myuser</SPAN> <SPAN class="">ansible_password</SPAN><SPAN class="">:</SPAN> <SPAN class="">!vault...</SPAN> <SPAN class="">ansible_become</SPAN><SPAN class="">:</SPAN> <SPAN class="">true</SPAN> <SPAN class="">ansible_become_method</SPAN><SPAN class="">:</SPAN> <SPAN class="">enable</SPAN> <SPAN class="">ansible_become_password</SPAN><SPAN class="">:</SPAN> <SPAN class="">!vault...</SPAN> <SPAN class="">ansible_ssh_common_args</SPAN><SPAN class="">:</SPAN> <SPAN class="">'-o</SPAN> <SPAN class="">ProxyCommand="ssh</SPAN> <SPAN class="">-W</SPAN> <SPAN class="">%h:%p</SPAN> <SPAN class="">-q</SPAN> <SPAN class="">bastion01"</SPAN></PRE></DIV></DIV><P>However, I am wondering what the best practice is to get into&nbsp;<SPAN>Enable Mode (</SPAN><SPAN>(Privilege Escalation).</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks,</SPAN></P><P><SPAN>Netmart</SPAN></P><P>&nbsp;</P> Mon, 21 Aug 2023 03:48:56 GMT https://community.cisco.com/t5/tools/ansible-privilege-escalation/m-p/4908549#M3379 Netmart 2023-08-21T03:48:56Z https://community.cisco.com/t5/tools/ansible-privilege-escalation/m-p/4908569#M3380 <P>Hi Netmart</P> <P>What you found is how it's done - regarding the enable password (and any other password) - best practice is using a vault encrypted password (like in your example) or get the password from an envioronment variable (in the example the enable password is stored in the variable EN_PASSWORD):</P> <PRE><SPAN class="nt">ansible_become</SPAN><SPAN class="p">:</SPAN> <SPAN class="l l-Scalar l-Scalar-Plain">true</SPAN> <SPAN class="nt">ansible_become_method</SPAN><SPAN class="p">:</SPAN> <SPAN class="l l-Scalar l-Scalar-Plain">enable</SPAN> <SPAN class="nt">ansible_become_password: "{{ lookup( ansible.builtin.env , EN_PASSWORD) }}"</SPAN></PRE> <P>&nbsp;</P> Mon, 21 Aug 2023 05:23:16 GMT https://community.cisco.com/t5/tools/ansible-privilege-escalation/m-p/4908569#M3380 Marcel Zehnder 2023-08-21T05:23:16Z https://community.cisco.com/t5/tools/ansible-privilege-escalation/m-p/4932225#M3399 <P>Hi Marcel.</P><P>I chose the path of creating Vault file containing the encrypted password:</P><P>&nbsp;</P><P>&nbsp; vars_files:</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;- /home/ciscoUser/Ansible/vault_password.yml</P><P>&nbsp; vars:</P><P>&nbsp; &nbsp; &nbsp; ansible_become_pass: "{{ vault_sudo_password }}"</P><P>&nbsp; &nbsp; &nbsp; ansible_python_interpreter: /usr/bin/python3</P><P>&nbsp;</P><P>Thanks,</P><P>Martin</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 02 Oct 2023 05:01:41 GMT https://community.cisco.com/t5/tools/ansible-privilege-escalation/m-p/4932225#M3399 Netmart 2023-10-02T05:01:41Z